[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] SecuRemote behind NAT device
Hi Upgrade to FW-1 SP2 or SP3 and follow the attached document and it can be done. It worked for me!! Rgds At 12:42 PM 6/7/01 +0200, Laurence Mayer wrote: Hi Does anyone have step by step documentation for getting : SecuRemote Clients (4174) on the internet, working behind a NAT Device to connect to FW-1(4.1 SP1) and then to Local Network. From: <Saved by Microsoft Internet Explorer 5> Subject: FireWall-1 FAQ: SecuRemote Client and NAT Date: Sun, 28 Jan 2001 20:06:26 +0530 MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_000_0000_01C08965.CBA7AE00"; type="text/html" X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211 This is a multi-part message in MIME format. ------=_NextPart_000_0000_01C08965.CBA7AE00 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Location: http://www.phoneboy.com/fw1/faq/0141.html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>FireWall-1 FAQ: SecuRemote Client and NAT</TITLE> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META content=3D"MSHTML 5.00.2014.210" name=3DGENERATOR> <META content=3D"Dameon D. Welch ([email protected])" = name=3DAuthor><!-- This page was created by the Gecko output system. = --><!-- This page was created by the Gecko output system. --><!-- This = page was created by the Gecko output system. --><!-- This page was = created by the Gecko output system. --></HEAD> <BODY aLink=3D#ff00ff bgColor=3D#000000 link=3D#00cc00 text=3D#ffffff = vLink=3D#00ff99> <CENTER><A=20 href=3D"http://www.phoneboy.com/redir.cgi?http://www.verisign.com/cgi-bin= /go.cgi?a=3Db00"=20 target=3D_foo><IMG alt=3D"Get the best VPN Training from Verisign" = border=3D0=20 src=3D"http://www.phoneboy.com/gif/display.cgi?vpn_maze_trn.gif" = NOSAVE></A> <A=20 href=3D"http://www.phoneboy.com/fw1/faq/spiderweb.bhtml"></A><A=20 href=3D"http://www.phoneboy.com/fw1/faq/fly.bhtml"></A></CENTER> <H1>SecuRemote Client and NAT</H1> <H2>Q:</H2>I'm trying to set up SecuRemote client behind a Cisco router = doing=20 NAT and can't get it to work. I've looked through all the FAQs and a lot = of the=20 messages to the FireWall-1 Mailing List but am still unsure whether this = is=20 supported or not, as there has been a lot of discussion about SecuRemote = not=20 working properly with NAT.=20 <H2>A:</H2>If your SecuRemote client is behind a device that does any = form of=20 Address Translation (including another FireWall-1 firewall) and you are = using a=20 version of FireWall-1 prior to 4.0, this can not be made to work. = FireWall-1 4.0=20 and later will support client that are being NATted with the following=20 restrictions:=20 <UL> <LI>The SecuRemote Client must be 4.0 or later (build 4003 or higher). = <LI>You can not use Encapsulation with the FWZ key management scheme = (you can=20 use ISKAMP or unencapsulated FWZ however).=20 <LI>If the client is subject to STATIC NAT (i.e. one to one = translation), it=20 will work provided you follow the steps listed below.=20 <LI>If the client is subject to POOL NAT (i.e. a many to many = translation done=20 by Cisco PIX firewalls and other similiar devices), it will work fine = so long=20 as each client is given a unique IP addres and you follow the steps = listed=20 below.=20 <LI>If the client is subject to HIDE NAT (i.e. a many to one=20 translation), only one user at a time can use SecuRemote unless you = use UDP=20 Encapsulation Mode (more on this below). This should work fine for = users that=20 use a device that performs NAT for their home-office network (e.g. = users with=20 cable modems or those with Unix or Windows machines performing NAT).=20 </LI></UL>HIDE NAT will only work provided your NAT gateway does the = following:=20 <P>For Unencapsulated FWZ </P> <UL> <LI>Insure that UDP port 259 on your NAT gateway is mapped to the = SecuRemote=20 client. FireWall-1 tries to communicate via this port.=20 <LI>Insure your gateway will pass packets that have an invalid = checksum unless=20 you disable MD5 checksums. </LI></UL>For ISAKMP=20 <UL> <LI>Insure that UDP port 500 on your NAT gateway is mapped to the = SecuRemote=20 client. FireWall-1 tries to communicate via this port.=20 <LI>Make sure your NAT gateway can pass IPSEC traffic (IP Protocol = 50). If UDP=20 Encapsulation Mode is used, make sure it can also pass UDP Port 2746.=20 </LI></UL>If your HIDE NAT gateway is a Linux machine, see the following = FAQ: <A=20 href=3D"http://www.phoneboy.com/fw1/faq/0372.html">Using SecuRemote thru = Linux=20 MASQ to FireWall-1</A>=20 <P>If your HIDE NAT is being done by a Linksys DSL router, make sure you = are=20 using at least version 1.34 of the firmware. </P> <P>You will also need to modify objects.C on the management console. = Edit=20 $FWDIR/conf/objects.C. For guidelines on editing objects.C, see <A=20 href=3D"http://www.phoneboy.com/fw1/faq/0409.html">How do I Edit=20 Objects.C?</A>After the :props ( line, add or modify the following lines = so they=20 read: = <PRE> &n= bsp; :userc_NAT (true) <BR> &nb= sp; :userc_IKE_NAT (true)</PRE>FireWall-1=20 4.1 SP2 and Secure Client 4.1 SP2 and later have a "UDP Encapsulation" = feature=20 that uses UDP to encapsulate the encrypted data when IKE is used. = This=20 more should be far more compatible with NAT devices as all communication = will=20 occur over UDP instaed of using IP Datagrams. Both FireWall-1 4.1 SP2 = and =20 Secure Client 4.1 SP2 are available. Look for the section in your=20 $FWDIR/conf/objects.C that has your firewall or gateway cluster object = and add=20 this to the object definition: <PRE = wrap=3D""> &nb= sp; &nbs= p;:isakmp.udpencapsulation ( <BR> &nb= sp; &nbs= p; :resource ( <BR> &nb= sp; &nbs= p;  = ; :type (refobj) <BR> &nb= sp; &nbs= p;  = ; :refname <BR> &nb= sp; &nbs= p;  = ; = ("#_VPN1_IPSEC_encapsulation") <BR> &nb= sp; &nbs= p; ) <BR> &nb= sp; &nbs= p; :active (true) <BR> &nb= sp; = )</PRE>You=20 will also need to create a service object called = VPN1_IPSEC_encapsulation if it=20 does not already exist. It is a service of type UDP, port 2746.=20 <P></P> <P>By default, FireWall-1 4.1 SP2 and later that has had these changes = made will=20 invoke this mode if the UDP port 500 packet coming from the SecuRemote = client=20 has a source port that is not port 500. This mode can be forced on the = client by=20 going into userc.C on the Secure Client and adding the following under = the=20 options section: </P> <BLOCKQUOTE><TT>:force_udp_encapsulation (true)</TT></BLOCKQUOTE>It can = also be=20 disabled entirely on the firewall by changing :active to "false" = instead=20 of true in the above objects.C modification.<BR><BR>UDP Encapsulation is = known=20 to have an issue with Gateway Clusters. To resolve this issue, upgrade = to=20 FireWall-1 4.1 SP3 or later and add the following two lines to the = :props (=20 section of objects.C:=20 <BLOCKQUOTE><PRE>:IPsec_main_if_nat (true)<BR>:IPsec_cluster_nat = (true)</PRE></BLOCKQUOTE>This=20 will tell FireWall-1 to always send the packets out with the Gateway = Cluster IP=20 address, which it does not do by default.=20 <P></P> <H5> <HR width=3D"100%"> Last Modified: Friday, 12-Jan-2001 17:08:02 PST<BR><A=20 href=3D"http://www.phoneboy.com/fw1/copyright.html">(C)2001 Dameon D. = Welch, All=20 Rights Reserved</A> . [ <A=20 href=3D"http://www.phoneboy.com/fw1/homepage.html">Go Back</A>]<BR>Your=20 corrections, suggestions, and submissions are welcome. Email to <A=20 href=3D"mailto:[email protected]">[email protected]</A>.</H5></BODY></HTML>= ------=_NextPart_000_0000_01C08965.CBA7AE00 Content-Type: image/gif Content-Transfer-Encoding: base64 Content-Location: http://www.phoneboy.com/gif/display.cgi?vpn_maze_trn.gif R0lGODlh1AE8ANX/AP//////APL3/fL3C+/v9+fnvefezuLt+eLtF97epdbWlNa9tdaMpdLj9tLj JMbGe8La88LaMb29a7VCWrLQ8LLQPq2tWqHF7aHFTJycnJycSpycMZwAMZG86pG8WYSEOYGy54Gy Znt7EHNzc3NzUnGo5HGoc2trCGNjAGGe4WGegFCU3VCUjUJCAECK2kCKmjExMTCA1zCApykpACB3 1CB3tBBt0RBtwQBjzgAAAAAAAAAAAAAAAAAAAAAAAAAAACH/C0FET0JFOklSMS4wAt7tACH/C05F VFNDQVBFMi4wAwEAAAAh+QQEMgAAACwAAAAA1AE8AAAG/8CccEgsGo/IpHLJbDqf0Kh0Sq1ar9is dsvteomilniMGptbmk9rNluby6g46vSRFO4Kjegk6n9EG3+AfXt1CQ9rbIqLLR8PChYfJ5OUfTiX mJmam5ydnp+goaKjpKWmp6ipqqusraoAAK6ym0JicHAtZWIiFgoPaopnublxJxsPBQ8alHyEf4F+ exsJBRqL19govcp7k4Cz4OHi4+Tl5ufo6eBCt8TDKBqPEh9xiWxktrmOh8vMhH0bCAXscwLFBwsJ LKDAxvBePAXzRPxRR7GixYsYM8qChYmjxlG15NSbo0EBJBFyTthrg88gMmXMvP0TBI2QSjEnkFlY yagNy/82jnwF+ki0qNGjSFd5xLE0qSZ2Ig1K8LWsGKVEbsjs+xWz0r9oXwuayZmQp5ufWLUlUOC0 rdu3cM8tbRoXB1SSUyOl9LdyzL553ppVavY1rK4zIh4k0GA26xifaOpKnky5sqa5sTpmdiuEzzYN I70SWrgoKGDCe1KLBqTYQjext+rZUvyAdDDHZmZY3s27d126SYXkpWfL31fbQSOt/senOR0J/BIs LoirOq4TGg4BEybMt/fv4GfBaopZshDQZKyiHj0j58k568M256VgMRttydTYiioSJ8JfuHUX3oAE FvjJeJsxtRlwbdWSnlWFSRRPQijJFCFzIpRU1jVkSTD/En/95VJSHtyNYeCJKIKH4IosVubgO/AV 9sGIrsU4kzM2AVJfbQ3NsE+N6lE3h2zwPMIYdykmqSRlLDbJ4FsOxmahRL2cNKWMXx1ziEqQMdRI fa51NUlUY0yInhlLpqmmU0426WIOD4q2gQIFSJDahYIwZwiAPnnZJxom9dPVSGd8YJIFN7Ww5qKM UtQmAAxwwMCKu4VEjI19wCOdHhEK8oenFhRA4hl9YmNPCwgpsMGgQh4mxj5HNirrrOK0OQIJE0yK YKVwwugVcSLUF9GF//SSkKtY+dnlDGo9sGpMcrhjRkl20mrtta84mQMMblpm6V5f2QKdszhKRIiG dpbI/9M97Cbro2KnjdmOMHWwhe29+HqirRAZTCBpt5NFCe4/72S3WJ7n0glgiewq++c9P7425DuP sXFCvhhnrCCCBiwwxAKR6kopZd8WU1i0KCSWwLCsaaduxWbd4+6pNKLUH7KJaKwzrbbmwMEEj/Ka D4SExdbCCdCpakgeKt3MXY/JnpUbqoG2KoxPO2fNKIsZwGDACDncCkMGTgotpUx8REXdiGu5th8+ pD4cTLsPO9asJBSTqvXe4S3BItgZkJDDAmCPsO8XiEd56aAguuT2zbI9zawFjPV0qtSItRb5Y2vw 7TmvTGjL7bYLGHB44l+EEZtVIjFeT6vVxd3GQ5WbGv91iVMxhsvUn/delxGPrjgCDDCQQDwMhgev /PLMN9+mcGpYhzJ8roM4DHdIHxJG1KVKzRJOU0V/vd6+l+8UEc4DMDy/gi+Q/vvwxw+LcPMMLYyY lDQuLecGo1eGn5gbyyMWko+rKcp8CCQK+pzXsSO4T34QjODzclAHCWygRCnzh2CoAzuctUBldrrF Nc7SJal94BBvyNtjEshCjCzQeWAjHBG8JsEa2hAAQvCRBJx1P0AYhzD5m94bspMHOFBnXXWb1qjg VqIWOlEdQ4gf2Ig3BG7d8IoQzKEOlUEGiWzgWd0wjLyi5Rfa2KxVUGuYGMLHnd3l5olwLEcU4UdF IiT/D4t4fJ8WZyCCHerOixYI05UkRij/HGp10eoRWtyzvTO4kXNxjGQ4hAA/AnjMCHdkHgxyQIIV EcBfHPgZAwjAANMBwF9Ay2OT9rhF13xgA4FUznyYM0ZdGGRHqtsLdRQZDEPV5mXqkqQwWzHH9F1S CDJ8oPOKCQADhFJXCwDlA0PJAVWuMgfXSMwDLBhLCy6nGyj7YJX8px742GaEkCnJkZg4vqsN852o YGbzujZD5JnSeZu0IgAIEEpl7tNfD0SlNVnESjZo8wGB9GNMmHOzCT1ge62DFi+pph8VAlMM8Mwo KSj5PgIcQZ/v82ekqrmiBXBAmf6UYMcMwNJrMuSg/xLw42tEE60+BupB1AuiIlHwgIe2pIDA1I1G h+oJee7znk4SXBEygFQIjpQALJpASm9oABIEDqTjKagi6tDTniokpzaRA40OczaJNsQRv7SfBw14 QKK6NRMcXZEQaNgkAzjwhiNNJcegqsoRLGCTLm3IQRemyz18cCoLG5oudcoQQ63zp7qYBOdM+NbK XiKuCCIC2Vi0ySLAggBXHcFmYWGADBgOtMV7YGnvONKfNXU8BmCAyPYp21y5j5SyJW1uSTkB2zaT AC0lqFYVkZOeXjA9lXiIh4QRUWidcwZwKklFKeZGgsAMKA+w7FuNCoDOCqGTCDrmXA2XgW1lQIZe M/+Ad9Vbx/IWk5/UFCWCWktSSD0zmj/rbShB6VpRgnK2gTXVfXb4UJkVo14K2A5kc8pYRfDUpxgc 3xczVbF4ZFe7RMUsggjgXU4iqMPbAkB5YcBX9W0Lqp0dWzND3F3MOjO+P/MnKGFh0pOOR6AMmAAB Ppnfe4KyxAEWMLMI/IHvFQkS6lqdcwmIXR4xt51x0MAX/5AoC1sAwxnOQZvsakcaY5LLowXAJcl2 SazCAmxa3jB/qanXkcJCoOOpsUifGV46TxC6DRHDkHta5MP6Qj/fc2RE+WOLkuwkyXnjhZQHUhAr txXL8NRwSZfa4hkSQKnHO54QDHfJTI4HzU0iJYz/deXmU/6MY3aGxVPr/K8755ld2uCzlUmjZ0fC KCVqq9djL7oLCVBuyrzw6kIgrVFJC2+pRiDbxxbA7GaXTsz8ahKonSRqapqu1HAmbartW18ab1u4 bMCml7Jiga7WDy0RbhwcjvGARLWxRBrwdSC/yO6dsIHYGTX2ikBcBCtyN87IlLa+YUvNSZW61KoO JVIR7u1W70uRWFlDrLkImVqnkLqxQ0HueM2deMdSyvqwB74jneZHidcIpvy3lwcn8JJ3e750LjWP dcVjvSb85TUGsFyxKW4AQqbcFI/4k9tRSFQ94tAcH4MF5D1v7o38nQP/MBLAi0MhvBbgLP9bXG3M /6Kcc3s8Nc+xpID8dVbrPLM97zk6z2DhytU60BfHGXYh8r+gJqKPMQ1kkRsm1KdLMupYR/l4lEr1 rgdc6y63+XhG6j6E91a2zHYSw8X87Z3jGeIVNzpCb4dohiXmzwF6OyM2IG87ze3efv97yYPHb5By OeukzYHpLjlVE8seFpWH86qdefYVTd7rrr68gLPCEkejm+PL0gZVvEdCRsxo6Qrhe99TD0fAj8e9 ml3R60fA0sI1E9NNVe+mofqzn/EVvzpu5n8tyebe+ha26/8sKCdw9fnxXBFqtxxajG/xoMLdDWO1 LF5iDLHkLqhHfdW3eqw3Q6G2PnPlPuyVaaPVNf+Zxi0Gt2ZSRVru537wBWP7BVU5toGpJIL093C8 NDfCYGGIUEIM42AB9C6+wCXSFwx8AEu1sxIIGEfW92nZN1Dxw1vuF1+KFz9adH+YR3xo0FVM1n8V cw/I8hMnsA3b0SMpM2UzmIMJ2DwcNldk54PMEynpF2fUVENDcA35h4KBNjtK2C7NxwjuxjltUG5I BjUp80oicIVY6EQ7uGH154XBA19dWGNkKG5nmEa4wW7tpkal4oSN9DSN0FMeQoU1+FyKkId6qIB+ qEomNYSUx4l6lAN3GG6iWIiZBxloVWCLOEIpE3qLRGTj5gdteICWiEB7mIkQBIgsEjKDuConOHz/ nMNVvwBxRzNd6hKHPcUY+TcHf4BE0zeL5VOLtig/YAhkYGhDQvBKKECIE1VCprhN80CHffAyJRRv vnZOONEHDIFNzphA0BiN8YN++pUrNyQEgbAB2bgI2ghAU+MIMZVnuRCOyMdHrigzadMj60iLmOiO ChlB7EBviUCKQkZ8AhmMtsMHCsYwJKQNMeV2RxMGBnmQz5iQCzmSn8hHr3RBadeLSDhkO7R3jDAH AMlr+xdTkXg0MmiGzQiSfNOOJNmTaAcUU8YTRrh23FhBynAb/7iMmcdWzkeT9DAHQlmJOtk7POmT PqlFLUBvdwiRPmcPeEdxLFGDdxh64ngf5SYBIFWhSFNJlSJplW55TagTl3I5l3RZl3Z5l3iZl3pJ l0EAACH5BATIAAAALGsACgDlACQAAAb/wJhr6MIZj8ikcgkBLJ/QqHSa7ECo2GwScNV6oc2vCwDK NgFoQer7DGNppRh7nnSzbamVN9ZBcumAdlErJUdjZVhNLiUXaIBIglIgAEWPlmyHXoJ/l5pOU5w4 mYmfOIpHcCB6SCsgIHKsqjRhQjZHQkg2Lo0lLrZGrXFPuC4gKb9GMSWqRrqwOLo0OLhHrSvOqMvH RosAFy7SwCAl4Ug0Lg2UvjhcNCmvR7o2MfDQ7+Tx4LeV4tcxsE10MVMiBECDIaLIKMMXi6GddOFS oEHT4AiFiWSOnAEg4ICTSWugGUQyBmORGB4n9lHSpBHFXyUwVqQB4MARiWvc2EhHkVPJ/5fsMJbZ iXHVkUkm2R0QMBHRmDNlYjCdGHKUqU9EKTbo0oTnyDoYnYzxCmBVVjQ5yYBId8EITTUxmoTsQG4F UyMSD+RJiYMmBWAACuXjtS4dBBcpPIaExBEEjYuCU3T4JxfHRVgXbbmZdAAx0y4xLqyIG1hUzG/S LlJQ9hUVOnW20ByW+qnkYRo2mF6gx1Sa1c01EXvk2phGOqPJxiIsecEdpw4AKLjreFXl0dLToud6 XaTJqhiOcKSz1QjZ9UrgbeINpRFA1YwkJ5WR2MevETceYUnscivm34SIsCPAEek8054fAvzSSBFj HeHfEdD18dsn+a1H3CorwLcFf08d4f+REUwpSIkidgEQjksYdbFWUgEdcRcOMa0hwH9JTFKJRG01 wxFLJuro1EYZ2VATjO7d98mQbnFC2kRdjPJTUmD5wZ+NAF63WIcTGrFjksQZoqGUXgboRlhouABc jhES4YIcMTWQwi6UXFXOi35luBgSVOKAIypbMuZHGW+B0A0ijcTQwIBGaolodl0IIICgHVbZV3Bq mpfoEaFQadUkguGQ4RVWhdcneF1y8yWmHGo4pgBqgqOTo7bExJ9FcYoXZyMhZVgKBQKUt8Qkq7x1 k3ZRYlpGhivFhEiGF+V4lREerQIdqMTuZ+pKODBlIBM9ajllnFZJRCN0hYyxUknQlmX/xLSXSrqF eu7ip66fRjQyFFMUrJDCYXpyASe4HL0z1bDEKiErQhfp5RI/Bxo76QGtMBXgVEYB580ZV+SmRgnD JVPTCnpAd4CgHdCIBHSiSZMpwAHaCsG+HNkipAARhxfTxbK1axUS6ZSwRpY4TPJoMX/Z8ZYttE0k x1kLGoGUQenEgwZyuUw11EVp3Nmwlog8be8RjcD77LppyGpECVMZ1t4fNmCNhsm3TFXEygx+edYB z0ikVSnQcWT22O4iobdYqvKNEdxPEGHeOUucUw7Piy6hyzpuIXSHPnTQNCvmSQxRzjlrQjH5HEIw XPm2SWj+xTmoNz5E650skaGzsdfu/1YKJ2Jn++5SuJN7p7wHH4ULHgnwuPCP3LyUQZYiL7zeyzfQ vPPOPzYZ9Ze4cwEEF2yDffUpbN/99N+Xb/756Kev/vrst+/++/DHL//89Ndv//3456///vz37/// 9Zsc+QBIwAJmgQZycw3qajE5z+WDctDg3PBONQUrwE4LyqiHAes3CQpAcAxiAxEAdBEWCNiiJAHa GRRUOIVTAAI8EzHeBunXhOPhoELV0M4YRHMB3SQkZqZq2Qop+L1vwIl2/wMHDYwhDXc4xhzv8J4o WvULPBhjgBk0yjnSMQTzTAJbOGiEHpw0EhAC4FxEnMY46vaKEjDkFq5AzjmQsRB+0P9jIM1IQQpQ Fx4CGiSGLpgKAGABwzSEg0wnEaQAWtc3NOAtaGFhGE3gJST1jGJmAPKIb4iIIsKRxSidlJ7TatXI T5QyR4Ob1aQi9z/Z0EM2iDljMlIWIW4MgTO2SIdjOqiEvLypK33hDgSNtAr6BBEajfjLIWYXuFHq hXHMcY6KavJLTlDJl9A0yJu4aApW6QIsQvRfH9FwSFXGwFqocJQcwFORdPFoMTiMxLByVENTYWSR VaohCz3CsEjdkEK1Coo0qJSOO+EKMGVgiukgiThx8gdJpgANr5gUj+PYMyyWQgMymga4JGhsUu1M yAG4V4JfZGIMHqRgn455qZVepAj/VNIoY8Lyl5tBwEA1GeD+NBQKCHTBI0YMBS+8dJBKJSFEYKuV PJNKiCKxlCTwaYJ8lADRp66KMTCNUx+NBKnXcaN4t/DGDHnKH58yylTTpJ2QuvWEiyymN+1SAkqX ggwWjgI8ElMCN8PUMIuKZISQLIJb8STWJ+x1hg7zlkZ+6p7E/AGvRg3bmzoQTuY4lkZL9RAaaGdX DbkknLr6RhmApitjMGUlmtpsMSblDX11QTR2gZc/C0jWxeIlbVv5YVJsACTg3USQFEBGZkcZ0Ga6 iyZETIEg41UK5VpnlDcSpBycmwYtZc1LqkTs8C5IEAeuUILum5wNJefdJ0zOQER4BCD7ggAAIfkE BMgAAAAsawAKAOUAKAAABv9AnHBILBqPyKRyyWw6n9CodEqtWq/YrHbL7Xq/4LB4TC6bz02aKzaM rdHweNT2LrptzxSELVyBUi5CMRAdZSUAABBCHYiKYBAAcpJSMQACRgcANE8gAIE4DYiIgS6JZQIC KXyoqls0JXw4kJNLr7GSoStElQ1UpQ0uLh14aKZDxludn7KRtEnKzikAF0SMKUI2KX/EOGuv12p4 FJ5GdTjZIC50m90xNn63Rn4gscEAwG6lF3XoKdzeJXThiJGOHTYXFwCUcLEJ0jsQAoe8gsgknB+B LrYRQVfC4LkUqugkXOgRjg1L3FDhiSFAlAA+AA60VAQtYQNuQoyxFBUKRE7/maIKGbERShQ1HKIa JTW1E5EAdjFnMkMUsdtSn5CKAqAwRBrPJZ0yIbqQEFEvQS1FXcOxQhSEUkl9Tkq4tu3RTCBoMDqK 6EAraDsFyM3pCNKeTgDkml3TEqcQwy5SZLpmD5+9fWzwxtibM6aqShRsxPAoUiFDZn6JAmBDw5Iq SGuRdBJMo2gHGuM22Wh5gWDLhp7olCZJqy1XHAkDVXKEo2Vng9Bw0ICUiJip1peEjFMMgBijZYIs DWl7FilzpHJLHW+eHRE7aTdlk3u8WsihEjgOyV2upNPRQ460hd8h6zFSSCbgRedMJjacdIAQcC31 ExEKdtPSWqboM4R+hA1R/6FVRwnhXIfHyOWVhEiVB4olg1E4HzNDlOITYkmdZ0Qna8kIYWI44NiG KYckwseHklgjDX5WvRVMMCQK8aFxHaq3IY/mefjijuud1EyVJfaRyJJMcokNCC0J5eIys+w4IwAd gBlPEdGV8omOnSDJljEuhCIAHkTK0VoDkLDTWndGINPjlXc6ch0ixPTU5IeDEtMWc4ZSWcmehdqY 5I0ARJSmVT5Jo+kz88mpJg7wDcFIi6EE4qMzQhS1HjMNAHKBYudBU8IFJXTQEq70CdCBWMA6iSgO jPjFyIuVDpZVCivc2iRBCClkBHxMfqrjblutoAd4nM5ZKpWhQLACJJh2sP/CCgI8iOo9YdLiVVU2 UIcIkoZCsywiZhpTb1+dFHsouIu4FJuY6A2hmij4MndifEXYQCyMpw4kFiJvnrmjuHL92xdMTiG5 cIuwGpFPSUnQoU4T0pCcRjCONXFyEmqgrDDMTSwZsxX5bBTvQSuXbIYLK+AhcX1CJ6300k6Mc89Y TEct9dQEUUAIwVNnrfXWXHft9ddghy322GSXbfbZksRQAkQ2c6GjF+iskPEZNZusjso4A01EODRr AwjV9iIyxtspwwIFt6LIa+g54kU4Fh5wxdYnsldFTcNMK7hQwqhuU5mEqZxsRXSIcnDrkTTU6JPC Bb9aFRMxfSYkwEKrV5X/NCSkb+S3QWqgmg6EGkFIw0P1eN6P0Zqbxs7xR2SCBEH02AHCQtIF3Y4g 6mjTBgjRGzESEaGw8fakVrU+8LWWzD3PLebwvQ5BfPgRNPNOYLdzCmm5ZqxWHZSFzD35O8rbmhIT NVSOgC8xQigu4JjAicxevVCQMbIiuKncqxz3kEgGQbUjRZTCV5gi0jgOpjCtTOMYzIHGLxABAsRp YiD5S2DOFieEy03DNy+cTV6INR1CIeVLJWgJKaj0qxgkZBjJI05PaOAfefQlIp0AhmQwlRC/0IAN EiwMi1wFrynGLBPsqNOpanNCGXGISI05AmQkQyVkqLARK3gFjwQCCXp0/2JWSiAcEQ4RooSsSSh3 FII0MOTDThRCR1JinLtAx4shOM9kYjlKKNjBCF24R2Mkgs0QJlkw2+WHTUJg0I6S8hQOysQGRKpg ESIVHne5kRylcBdyTljDmDhyS0soxajoMh5TdEIgYuSgmHTJQRolZWOjRNER8FefpbDwF3BilhYN 4kzPafBBlQhRLAnhj1OhjkhgxOCsRvTKIZrJhgfQheNE0baIXbII1uglV6ITpzaWB0o6IhCYxCUu JeksCRyiCpiuuLjotEaLRBDokmw2DiN2KkbWrFgmkmOE7WDwPORkzjiG2CIalCVz8ALTzo5gE8dI Yz3fo+e4uOMda+noUv9HKMVaWNmEgDGDhM15YVes9S6EDkGTS5CGr2QpTCK8LUIEgwu4tCSpDYon lLCM6Cdb+M456KkDa+vF0SCgB5Sc76tvc0oKgrSJt5ULWtKyCjACMQ6/CMNlF8BqWQLRFmFpzl06 XAF+LuWHRtCHCHVtUwmIWoS0tEiPFZsK1pbFKxBIixGzI9NDcTCODrAxqoMBSZ7IUUVAYPVw/qtg DLRygCHNp56KoUD+cmQpE4qsKD7x2AWLYC/BWEkUstxXM/xnNZ/eti9JKItHEFtUpSJhsHEpmFjb kBYBbLSo+zqObHl6uH+2wRxQ4JEb2jmQYJTEu9c9zRHUYD2gxUNlvBMm7xJUNrczzEwiebsZ1uxQ 3uqp1xlSRZt+9Zvf/fqXbL/7r4C3EAQAIfkEBMgAAAAsAQABAFwBOgAABv9AnHBILBqPyKRyyWw6 n9CodEqtWq/YrHbL7Xq/4LB4TC6bz+i0es1uu9/wuHxOr9vv+Lx+z+/7/4CBgoOEhYaHiImKi4yN jo+BLy83kJWWWTImISw1QgERQioRMkkBIUsRAWU3CAEBL2I1krOdsrOUQ7azpDi6krxDkkY3L6Qy s7BDx8A4wkbIzFipoREqaDUqISq801efR984otFWMqmurp6gOCGvpadK3WMmARWTYu3opuz6AR5D +dCtC+hq3RAHAVgUoffvnKsB1nCkGoALRzoj/QYkk6aKHzwyNzz0MyGxo5VwRcK121jkhglySWoM +MTihYl1KJfsi2cSn7v/Me1M0OJngkWImRGD7hKi9FcRFfWKtOqUyibCAJTOfbyY8pWJClyvyEOD cIBQFRhIjaWSc0hbJC9+NkmFAdw6WRVraLq3Uxa5VDeMKiSidxORFzVkhEh2I5uKirleYAggFFfh x5FxGIUsJJPhIyuLhNbsj6lcgKdbuqooI4ADIfIQwkqFgKKnnm5NIgRWePAQoyGiCa7RDS8OYjWw BS+ieHkuE9uENFbBMlQABJxLBv78nLuQwnzvFlP3/d5xFdSJ0RPaaUmNALYxDvwpEh2pfTIGDPjr Gt1r6/7h0h9+Mz3UHmr6wAIVOvuZdk519ARoxGioJbOeadXxkyERk0WE/4NIEckz2WwBQPWPRbjd NkQruCzoSgVDOFTiQQy2gmEz9RQ4oxCToXNiQHXF5cp/RKTiW5EDujaEi661mKBFoOS3o0ruCOma la58lERcBqU0HywswBeCLJ4Epx9MtD2GkEI36LcNWCSh6AAnOLQS3GQnRjZZZXENcOd1pvlj3pIe yGDOjkS0g0EIjHaiaAiTYWfaoowm82ijRoQJoxD64dINCzOppcpUKIJjSgitnNgndUYK4cFLUA0g BD0IsKBCKx2FJmQEksBnnQMv3IoVDgMgkJyok2QYFpIIqOmOTBDVAJY1fYZADCWfSOkhlbCAlax6 lCHGRFxaEsEtDnCmVP/BmUhUZd0pJn4XDny4xLWpRbJO+FO6QqzJT55wtVMuP08SFB/B6MBDUGpC kBpmXbD1A/E0D5eKkT55thNRxUMQs1tJgwl5Y1wIxNhRKrwE9V6DDSPaVbs/QXUKQ/KCgmdKtbl8 bise4rjhEVwicW4qB97mchHykIuwf+TN2s+yN5Z0oMAawiXjwBSaJlQqH2UddRIikTSiyRFUsJjJ Eb+XIoovhDlAezIW5CqursAyU0UzjRwAxPxw+vQp9WFAyYKjXJxdScHss/A3KHe1t5c3hpmtEHH9 PIwrRbv1JeLqsntE0orvjUwyO4lTz+ig/dS4q6FvuPJi9GCdWmg3+Pr/dYXuNQko2kZ0Yy/UFlON rinQ4EBPBDWNjdCBF+laejst1zSUOK3898JEnPGLtElKt+MB6kTjPBNL5zYzUSeVPzGZA9md22FK 2sCHJvf7hFkyRh+1lq8So+1JIyleE0KYThQ7fVWnfzsKYACNgJCgIOlzJnGIqaRDL+NFZXu8aEW3 diQ5vXWtI9prSd5MVh238Sdx8FJSEURSrmzJT3O3c1dceraEG5TlVSH4z7laszejdGIftMoO6ODR CuSxwB5lQpIDVMCCRaUuGTLpYRFv17HrsMAEM5HdAX/SmvtdShuTYhQYjxCrABRtLRFTBjomyKN9 RBEDtuIVPyrQxLrh/wgiAfEgaigHHwzY5H5+PB47WACq/XHIFRjQBB05h6NTtIkmLJBjFJFngh+C Ila8ONcmCslHYFmuJT1aI5SiBip0wGIn6+PMEDtDtwBkUks1uIor4iQauUipILhYIMLAosVabiQV 1ljYfPTRJSLU7oK8294h18aVLgpQR648jixlw7ohIUSPphlChB5yHHQgwG4PoeVCoHmKVeJABq3k BTpNOcoPXQdbm8OVWaRzlYEpgRiSONwzxqOFWyzhGOJ6glOgENBLjCufhHFdQaWAz40QgxnOUAJA M7clhB6Gn1KIaDAGZdCOevSjIA2pSEdK0pKa9KQoTalKV8rSlrr0pWgwjalMZ0rTmtr0pjjNqU53 ytOe+vSnQA2qUIdK1KIa9ahITapSl8rUpjr1qVCNqlSnStWqWvWqWM2qVrfK1a569atgDatYx0rW spr1rGhNq1rXyta2uvWtcI2rXOdK17ra9a54/WgQAAAh+QQELAEAACweACEAKwEQAAAG/0CccEgs GomRwHHJbC5DgZeT+QqEpljj7SUt1l41HJcrI3LDw1eZuB27b1lZxDONRLL4/NETKVevTQF3R1ZT XHpLSYhLMnRLKoA4UF2If4tmGFoBAWhDFQEsOJujCGubg0KCRVWjrZROVahMm5e1TklSloGyRIVO tLZCisHCSkuqQpOXurXDRRgBJmwBCKkOLx4I1KmblMhDbS8OUVxwxOfosL6zvEPrs8YyJiGhaTI3 LCFraSEqNc5eTJi498IcDhkh9An5Mu4QERlVrpWZJM9EJyH5LB75IwPSRRwZL8pjUYMhuSIsAjgg YiKAI2Q3Bhij9u2bEWdf8IUwl0+hkP8taGTcy1dPiBohEMX0M4ijhsCCBY/UgKTC3FF7C+dVHZJU zDqE9HpFmOozVaQbVJluazlqZSoEMjc5wgFt0wBtR1KO+tTFQ6tMUFoVSTLqDhTCAQasuTHO7iuj Klup+Nl402QcnzYlbGWMiLZO49B80wZHELTLNgd3htJYSuZN0rwCiuCgcqZUg5LUVWlORtzIjw+2 GhCGNNIAmfRucmBumC62myq4gzvqtihAvkcRd3dHhQehSVBTU5EdTpUBKsQBYyPze91cKtOPk2HS IdeIRwNjqAHl9qcK8qhkBCsAQjEAHNBUMNVdTQlyQw30qWffEFAAUoOAuAnR0gC4XVj/jSjtDOGM flF5YBELMkE223g1aGNKbomFUMMnl2mDwQvvGSEDBiT5RYdfl/kVyo5qJBGbc754J1RD3ETwggky deGLNvpAM5dN2PiyiTl+SQFNbBd2NoQKAUgnhDZeBnAZmSuyQyFy3L01RGirbCMEjTjIZA40aqh0 EUBEeCgEkO5whpphaoLIxIhwFrEFk7okgYYyiuIQnopeuWVpFEx0pIoMZZ75IVct3YZkJEZBA8iW GrpklldmisJhhiwgpiUqyiSxzzhGQBEbXZzaGl0xbiYDSpyscPZYFXO1dAVn3eDQmAfNialaGXAZ lFgEFcgYZ0zVpIbEascO4UFlnEY6/2oVUsKIxoVXtDQXpQ9V8Nsg49wAqiNytAIjpjioYOuqmsby KnSCdRjjk7e+KQUuQ+BVRIVD8LmpCW6sAahYDscJKgJuRGVGo5IUkljIk8pkqrVEkOlBFdZVWgQy FYorIrmUtORAehZHigq7GW7aS7wkd2mENi8bjENL3gWwxgADhPBCSv/KJtwAGDtrTRrIFEJmBSHP GUFKjmgtszJQOBKmESm5FROnfsV8M1McG+vNIDLts5Gd0nKqTVGOIrMxOHdZHKcRMEFtM7F237wG pL7YwXW7jL/6sTloFgHqIFQvVCYCH1ZhJplVW+LroFpygvqqV4A66xIe5iPTqrhyGv+mQHEdoQ0C HsQlRZg8ClyxSyQhruZk9CLjFwIYexAr19TkY6eBUocgHUIvpF2MB8UbUdeoQc+MCpmLC914qxWw kKPPkwcNkC/jIBCCNpwWoY0KKmiDSmaxxTQACybQH+MsASoHsKB3qcMaW0Szop2pLxK0CAxyGnY+ 8lHjE0eQAf24VT8V/OZ1L/CdEfwSwfpV6gavCVWdMBAXxZirFdJJFgLQoJzgeCUa4iOELASYCJyB wzbpitzP6ic4MfmiX9RoSXA8uBwHjG8TnYDOOErni92oKhUVoF+iXtUUdP0KGEDJwxf05gSjpWFC TUHjfcgIOzLAQmRD+MJV0khGOaZY444LsSEeO7aRjzQBDHjYAt3u48eHnGGPTUgPUqCGyEY68pGQ ZIIK6lEDmRQykpjcI/0ac5lMevKToMwCYQgzl1CaMhjZs0NZTsnKVmISIRWYgx5dGYwgAAA7 ------=_NextPart_000_0000_01C08965.CBA7AE00--
|