[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] SecureRemote/NAT ..so close
Im getting very much the same result BUT I get an entry in the log after key exchange: A drop by rule0 for IPv6 with info of 'decrypt failure: authentication failure scheme : IKE' I'm in the process of finding out what this means. If I try and ping back through the tunnel to the securemote client I get the encrypt, but no decrypt, I do see the UDP encapsulation packets going back to the NAT device infront of the securemote client, but nothing back in the other direction. SteveR 10/17/01 6:46:44 AM, Brian Noecker <[email protected]> wrote: >Ok, I need some help with the old SecureRemote behind a NAT device trick. >Here's my setup: > >1. FW server: VPN-1(TM) & FireWall-1(R) Version 4.1 Build 41862 [VPN + DES + >STRONG] Solaris 2.7 > FW Management console: VPN-1(TM) & FireWall-1(R) Version 4.1 Build >41862 [VPN + DES + STRONG] Solaris 2.7 > SecurClient SP4 build 4185 on Win2000. IKE over TCP, and Force >UDP_encapsulation set. Only IKE is being used (preshared secrets) > >2. Here's the test lab layout: > >SC ------router1---------router2----------Firewall-----FW_Management and >other Resources in the Encryption domain. > >3. The routers are both cisco 2621s and here is the setup of the NAT (HIDE >NAT): >---------------------------------------------------------------------------- >--------- >interface FastEthernet0/0 > ip address 206.120.120.2 255.255.255.0 > no ip directed-broadcast > ip nat outside >! >interface FastEthernet0/1 > ip address 10.200.0.1 255.255.255.0 > no ip directed-broadcast > ip nat inside >! >ip default-gateway 206.120.120.1 >ip nat inside source list 1 interface FastEthernet0/0 overload >ip classless >ip route 0.0.0.0 0.0.0.0 206.120.120.1 >no ip http server >! >access-list 1 permit 10.200.0.0 0.0.0.255 >---------------------------------------------------------------------------- >------------- >4. The firewall has a static route sending it to router 2 for the >206.120.120.0 network >5. The following were added to the management $FWDIR/conf/objects.C file >(not the FW) > at the :props section > :userc_NAT (true) > :userc_IKE_NAT (ture) > at the end of the definition for my gateway > :isakmp.udpencapsulation ( > :resource ( > :type (refobj) > :refname ("#_VPN1_IPSEC_encapsulation") > ) > :active (true) > ) >6. The VPN1_IPSEC_encapsulation service was created for port 2746 >7. The firewall rule is SecuRemoteUsers@Any to EncryptionDomain on Any >service gets Client Encryption Action. The users are allowed to send to and >receive from Any at any time. >------------------------------------------------------------- > >Now for the problem as perceived. In the lab and in production, with the SC >set as a static address (206.120.120.2) everything works fine, I see traffic >talk to the management console on port 264, talk to the policy server on 500 >and then swtich to 2746. I can access things as needed. Now, put the box >behind the router and give it a 10.200.0.2 address and I can update my >topology and login to the policy server, getting authenticated fine. I >cannot however access any resources in the encryption domain. On snooping >interfaces, I see traffic from the SC to the firewall going on port 2746, >then the requests going to the services in the encryption domain as >10.200.0.2, and being replied to back into the firewall. I see decrypts in >the FW logs, but then no encrypts. I see nothing leaving the firewall back >towards the SC, or out any other interface of the firewall, either as the >10.200.0.2, or the 206.120.120.2. I don't get destiation unreachable or >network unreachables sent back from the firewall, nor are any drops recorded >in the logs. The packets just disappear. It seems as if the FW is losing >the NAT in its table and simply dropping the packets. > >At this point, I am at a loss for how to find where the traffic is going, or >what else to do to get things to work. The docs on setting this up have me >set things up on the management console, but I don't see the >isakmp.udpencapsulation addition to the object on the firewalls objects.C. >Should this be propogationg from the management console on install? The >VPN1_IPSEC_encapsulation service is defined on the FW however. > > Any help would be greatly appreciated. Sorry for all the info. Thanks in >advance. > > >=============================================== >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >=============================================== > > Steve Rielly Security Engineer Extranet Technologies Limited Level 3, 60 Cook St, Auckland, New Zealand P.O. Box 7726, Wellesley Street, Auckland, New Zealand Ph: +, Mob: 025 835530 Fax: +=============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|