[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Cisco VPN client through NAT CheckPoint FW
IPSEC uses a hash which, in part, is generated from the original IP address of the packet. When the address is changed, the hash doesn't compute properly on the other end. This is not a Check Point issue, this is a universal problem with NAT and IPSEC. I've seen it with many different products and it always works out the same. IPSEC is doing what it's supposed to. NAT breaks it. Customer gets upset. ;> Bottom line: IPSEC+NAT=NO VPN. Check Point has a solution for SecuRemote/SecureClient using udp encapsulation, but that's the only thing I've ever heard of that addresses this problem. Michael J Lawrence CISSP CCSI -----Original Message----- From: Spigelman, David [SMTP:[email protected]] Sent: Wednesday, May 16, 2001 1:58 PM To: 'Franklin Hoek' Cc: [email protected] Subject: RE: [FW1] Cisco VPN client through NAT CheckPoint FW How?! I don't understand how it WOULD work! -- DS -----Original Message----- From: Franklin Hoek [mailto:[email protected]] Sent: Tuesday, May 15, 2001 6:32 AM To: '[email protected]'; Chris Arnold Cc: [email protected] Subject: RE: [FW1] Cisco VPN client through NAT CheckPoint FW The new Patch: 4.1. Sp3 makes it possible for the first time... -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: dinsdag 20 maart 2001 11:47 To: Chris Arnold Cc: [email protected] Subject: Re: [FW1] Cisco VPN client through NAT CheckPoint FW I don't think you can VPN (IPSEC) through NAT becuase of encapsulated source address issues, mainly encrypted in the packet is the original source address which can't be changed to the NAT address. Symon ------------------- > > Hello, all. Odd problem with VPN-1 v4.1 SP2 on a Nokia IP650 running IPSO > 3.3. > > I have an internal user who needs to connect to a remote ASP through a Cisco > VPNZ (???) client which doesn't have much in the way of configuration > options. I'm not seeing any drops in my logs but proper communication is not > established. We are doing hide behind NAT on our end and her client has a > IPSEC through NAT box checked as we use RFC1918 addresses internally (also > fails without this option box checked). > > All is well if I connect her directly into the switch in front of my FW and > give her a public address. I see the same problem if I connect her directly > via cross-over cable into a port on the Nokia. All other traffic from her > machine is fine. > > I've included some sniffed traffic between an external interface of my FW > and their network. > > If anyone has seen this or has any insight into what the problem may be I'd > be very appreciative. > > Chris > > ETHER: ----- Ether Header ----- > ETHER: > ETHER: Packet 1 arrived at 10:41:16.93 > ETHER: Packet size = 352 bytes > ETHER: Destination = 0:2:16:b0:e6:0, > ETHER: Source = 0:a0:8e:e:ea:30, > ETHER: Ethertype = 0800 (IP) > ETHER: > IP: ----- IP Header ----- > IP: > IP: Version = 4 > IP: Header length = 20 bytes > IP: Type of service = 0x00 > IP: . .... = 0 (precedence) > IP: ...0 .... = normal delay > IP: .... 0... = normal throughput > IP: .... .0.. = normal reliability > IP: Total length = 338 bytes > IP: Identification = 33852 > IP: Flags = 0x0 > IP: .0.. .... = may fragment > IP: ..0. .... = last fragment > IP: Fragment offset = 0 bytes > IP: Time to live = 126 seconds/hops > IP: Protocol = 17 (UDP) > IP: Header checksum = ff93 > IP: Source address = my.ip.address, fw.domain.com > IP: Destination address = remote.ip.address, remote.ip.address > IP: No options > IP: > UDP: ----- UDP Header ----- > UDP: > UDP: Source port = 672 > UDP: Destination port = 500 > UDP: Length = 318 > UDP: Checksum = 1F70 > UDP: > > ETHER: ----- Ether Header ----- > ETHER: > ETHER: Packet 2 arrived at 10:41:17.23 > ETHER: Packet size = 290 bytes > ETHER: Destination = 0:a0:8e:e:ea:30, > ETHER: Source = 0:2:16:b0:e6:0, > ETHER: Ethertype = 0800 (IP) > ETHER: > IP: ----- IP Header ----- > IP: > IP: Version = 4 > IP: Header length = 20 bytes > IP: Type of service = 0x00 > IP: . .... = 0 (precedence) > IP: ...0 .... = normal delay > IP: .... 0... = normal throughput > IP: .... .0.. = normal reliability > IP: Total length = 276 bytes > IP: Identification = 54029 > IP: Flags = 0x0 > IP: .0.. .... = may fragment > IP: ..0. .... = last fragment > IP: Fragment offset = 0 bytes > IP: Time to live = 117 seconds/hops > IP: Protocol = 17 (UDP) > IP: Header checksum = ba00 > IP: Source address = remote.ip.address, remote.ip.address > IP: Destination address = my.ip.address, fw.domain.com > IP: No options > IP: > UDP: ----- UDP Header ----- > UDP: > UDP: Source port = 500 > UDP: Destination port = 672 > UDP: Length = 256 > UDP: Checksum = 0000 (no checksum) > UDP: > > ETHER: ----- Ether Header ----- > ETHER: > ETHER: Packet 3 arrived at 10:41:17.25 > ETHER: Packet size = 94 bytes > ETHER: Destination = 0:2:16:b0:e6:0, > ETHER: Source = 0:a0:8e:e:ea:30, > ETHER: Ethertype = 0800 (IP) > ETHER: > IP: ----- IP Header ----- > IP: > IP: Version = 4 > IP: Header length = 20 bytes > IP: Type of service = 0x00 > IP: xxx. .... = 0 (precedence) > IP: ...0 .... = normal delay > IP: .... 0... = normal throughput > IP: .... .0.. = normal reliability > IP: Total length = 80 bytes > IP: Identification = 34108 > IP: Flags = 0x0 > IP: .0.. .... = may fragment > IP: ..0. .... = last fragment > IP: Fragment offset = 0 bytes > IP: Time to live = 126 seconds/hops > IP: Protocol = 17 (UDP) > IP: Header checksum = ff95 > IP: Source address = my.ip.address, fw.domain.com > IP: Destination address = remote.ip.address, remote.ip.address > IP: No options > IP: > UDP: ----- UDP Header ----- > UDP: > UDP: Source port = 672 > UDP: Destination port = 500 > UDP: Length = 60 > UDP: Checksum = 5618 > UDP: > > ETHER: ----- Ether Header ----- > ETHER: > ETHER: Packet 4 arrived at 10:41:17.73 > ETHER: Packet size = 350 bytes > ETHER: Destination = 0:2:16:b0:e6:0, > ETHER: Source = 0:a0:8e:e:ea:30, > ETHER: Ethertype = 0800 (IP) > ETHER: > IP: ----- IP Header ----- > IP: > IP: Version = 4 > IP: Header length = 20 bytes > IP: Type of service = 0x00 > IP: xxx. .... = 0 (precedence) > IP: ...0 .... = normal delay > IP: .... 0... = normal throughput > IP: .... .0.. = normal reliability > IP: Total length = 336 bytes > IP: Identification = 34364 > IP: Flags = 0x0 > IP: .0.. .... = may fragment > IP: ..0. .... = last fragment > IP: Fragment offset = 0 bytes > IP: Time to live = 126 seconds/hops > IP: Protocol = 17 (UDP) > IP: Header checksum = fd95 > IP: Source address = my.ip.address, fw.domain.com > IP: Destination address = remote.ip.address, remote.ip.address > IP: No options > IP: > UDP: ----- UDP Header ----- > UDP: > UDP: Source port = 672 > UDP: Destination port = 500 > UDP: Length = 316 > UDP: Checksum = 78E1 > UDP: > > ETHER: ----- Ether Header ----- > ETHER: > ETHER: Packet 5 arrived at 10:41:17.84 > ETHER: Packet size = 118 bytes > ETHER: Destination = 0:a0:8e:e:ea:30, > ETHER: Source = 0:2:16:b0:e6:0, > ETHER: Ethertype = 0800 (IP) > ETHER: > IP: ----- IP Header ----- > IP: > IP: Version = 4 > IP: Header length = 20 bytes > IP: Type of service = 0x00 > IP: xxx. .... = 0 (precedence) > IP: ...0 .... = normal delay > IP: .... 0... = normal throughput > IP: .... .0.. = normal reliability > IP: Total length = 104 bytes > IP: Identification = 54032 > IP: Flags = 0x0 > IP: .0.. .... = may fragment > IP: ..0. .... = last fragment > IP: Fragment offset = 0 bytes > IP: Time to live = 117 seconds/hops > IP: Protocol = 17 (UDP) > IP: Header checksum = baa9 > IP: Source address = remote.ip.address, remote.ip.address > IP: Destination address = my.ip.address, fw.domain.com > IP: No options > IP: > UDP: ----- UDP Header ----- > UDP: > UDP: Source port = 500 > UDP: Destination port = 672 > UDP: Length = 84 > UDP: Checksum = 0000 (no checksum) > UDP: > > ETHER: ----- Ether Header ----- > ETHER: > ETHER: Packet 6 arrived at 10:41:25.76 > ETHER: Packet size = 350 bytes > ETHER: Destination = 0:2:16:b0:e6:0, > ETHER: Source = 0:a0:8e:e:ea:30, > ETHER: Ethertype = 0800 (IP) > ETHER: > IP: ----- IP Header ----- > IP: > IP: Version = 4 > IP: Header length = 20 bytes > IP: Type of service = 0x00 > IP: xxx. .... = 0 (precedence) > IP: ...0 .... = normal delay > IP: .... 0... = normal throughput > IP: .... .0.. = normal reliability > IP: Total length = 336 bytes > IP: Identification = 34620 > IP: Flags = 0x0 > IP: .0.. .... = may fragment > IP: ..0. .... = last fragment > IP: Fragment offset = 0 bytes > IP: Time to live = 126 seconds/hops > IP: Protocol = 17 (UDP) > IP: Header checksum = fc95 > IP: Source address = my.ip.address, fw.domain.com > IP: Destination address = remote.ip.address, remote.ip.address > IP: No options > IP: > UDP: ----- UDP Header ----- > UDP: > UDP: Source port = 672 > UDP: Destination port = 500 > UDP: Length = 316 > UDP: Checksum = 78E1 > UDP: > > ETHER: ----- Ether Header ----- > ETHER: > ETHER: Packet 7 arrived at 10:41:47.83 > ETHER: Packet size = 118 bytes > ETHER: Destination = 0:a0:8e:e:ea:30, > ETHER: Source = 0:2:16:b0:e6:0, > ETHER: Ethertype = 0800 (IP) > ETHER: > IP: ----- IP Header ----- > IP: > IP: Version = 4 > IP: Header length = 20 bytes > IP: Type of service = 0x00 > IP: xxx. .... = 0 (precedence) > IP: ...0 .... = normal delay > IP: .... 0... = normal throughput > IP: .... .0.. = normal reliability > IP: Total length = 104 bytes > IP: Identification = 54063 > IP: Flags = 0x0 > IP: .0.. .... = may fragment > IP: ..0. .... = last fragment > IP: Fragment offset = 0 bytes > IP: Time to live = 117 seconds/hops > IP: Protocol = 17 (UDP) > IP: Header checksum = ba8a > IP: Source address = remote.ip.address, remote.ip.address > IP: Destination address = my.ip.address, fw.domain.com > IP: No options > IP: > UDP: ----- UDP Header ----- > UDP: > UDP: Source port = 500 > UDP: Destination port = 672 > UDP: Length = 84 > UDP: Checksum = 0000 (no checksum) > UDP: > > ETHER: ----- Ether Header ----- > ETHER: > ETHER: Packet 8 arrived at 10:42:17.84 > ETHER: Packet size = 118 bytes > ETHER: Destination = 0:a0:8e:e:ea:30, > ETHER: Source = 0:2:16:b0:e6:0, > ETHER: Ethertype = 0800 (IP) > ETHER: > IP: ----- IP Header ----- > IP: > IP: Version = 4 > IP: Header length = 20 bytes > IP: Type of service = 0x00 > IP: xxx. .... = 0 (precedence) > IP: ...0 .... = normal delay > IP: .... 0... = normal throughput > IP: .... .0.. = normal reliability > IP: Total length = 104 bytes > IP: Identification = 54095 > IP: Flags = 0x0 > IP: .0.. .... = may fragment > IP: ..0. .... = last fragment > IP: Fragment offset = 0 bytes > IP: Time to live = 117 seconds/hops > IP: Protocol = 17 (UDP) > IP: Header checksum = ba6a > IP: Source address = remote.ip.address, remote.ip.address > IP: Destination address = my.ip.address, fw.domain.com > IP: No options > IP: > UDP: ----- UDP Header ----- > UDP: > UDP: Source port = 500 > UDP: Destination port = 672 > UDP: Length = 84 > UDP: Checksum = 0000 (no checksum) > UDP: > > ETHER: ----- Ether Header ----- > ETHER: > ETHER: Packet 9 arrived at 10:42:25.97 > ETHER: Packet size = 350 bytes > ETHER: Destination = 0:2:16:b0:e6:0, > ETHER: Source = 0:a0:8e:e:ea:30, > ETHER: Ethertype = 0800 (IP) > ETHER: > IP: ----- IP Header ----- > IP: > IP: Version = 4 > IP: Header length = 20 bytes > IP: Type of service = 0x00 > IP: xxx. .... = 0 (precedence) > IP: ...0 .... = normal delay > IP: .... 0... = normal throughput > IP: .... .0.. = normal reliability > IP: Total length = 336 bytes > IP: Identification = 34876 > IP: Flags = 0x0 > IP: .0.. .... = may fragment > IP: ..0. .... = last fragment > IP: Fragment offset = 0 bytes > IP: Time to live = 126 seconds/hops > IP: Protocol = 17 (UDP) > IP: Header checksum = fb95 > IP: Source address = my.ip.address, fw.domain.com > IP: Destination address = remote.ip.address, remote.ip.address > IP: No options > IP: > UDP: ----- UDP Header ----- > UDP: > UDP: Source port = 672 > UDP: Destination port = 500 > UDP: Length = 316 > UDP: Checksum = 78E1 > UDP: > > ETHER: ----- Ether Header ----- > ETHER: > ETHER: Packet 10 arrived at 10:42:47.82 > ETHER: Packet size = 126 bytes > ETHER: Destination = 0:a0:8e:e:ea:30, > ETHER: Source = 0:2:16:b0:e6:0, > ETHER: Ethertype = 0800 (IP) > ETHER: > IP: ----- IP Header ----- > IP: > IP: Version = 4 > IP: Header length = 20 bytes > IP: Type of service = 0x00 > IP: xxx. .... = 0 (precedence) > IP: ...0 .... = normal delay > IP: .... 0... = normal throughput > IP: .... .0.. = normal reliability > IP: Total length = 112 bytes > IP: Identification = 54126 > IP: Flags = 0x0 > IP: .0.. .... = may fragment > IP: ..0. .... = last fragment > IP: Fragment offset = 0 bytes > IP: Time to live = 117 seconds/hops > IP: Protocol = 17 (UDP) > IP: Header checksum = ba43 > IP: Source address = remote.ip.address, remote.ip.address > IP: Destination address = my.ip.address, fw.domain.com > IP: No options > IP: > UDP: ----- UDP Header ----- > UDP: > UDP: Source port = 500 > UDP: Destination port = 672 > UDP: Length = 92 > UDP: Checksum = 0000 (no checksum) > UDP: > > > ====================================================================== ========== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ====================================================================== ========== > ======================================================================== ==== ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ======================================================================== ==== ==== ======================================================================== ==== ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ======================================================================== ==== ==== ======================================================================== ======== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ======================================================================== ======== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|