NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] SecureRemote/NAT ..so close



Im getting very much the same result BUT I get an entry in the log after key exchange:

A drop by rule0 for IPv6 with info of 'decrypt failure: authentication failure scheme : IKE'
I'm in the process of finding out what this means.

If I try and ping back through the tunnel to the securemote client I get the encrypt, but no
decrypt, I do see the UDP encapsulation packets going back to the NAT device infront of the
securemote client, but nothing back in the other direction.

        SteveR


10/17/01 6:46:44 AM, Brian Noecker <[email protected]> wrote:

>Ok, I need some help with the old SecureRemote behind a NAT device trick.
>Here's my setup:
>
>1. FW server: VPN-1(TM) & FireWall-1(R) Version 4.1 Build 41862 [VPN + DES +
>STRONG] Solaris 2.7
>    FW Management console:  VPN-1(TM) & FireWall-1(R) Version 4.1 Build
>41862 [VPN + DES + STRONG] Solaris 2.7
>    SecurClient SP4 build 4185 on Win2000.  IKE over TCP, and Force
>UDP_encapsulation set.  Only IKE is being used (preshared secrets)
>
>2. Here's the test lab layout:
>
>SC ------router1---------router2----------Firewall-----FW_Management and
>other Resources in the Encryption domain.
>
>3. The routers are both cisco 2621s and here is the setup of the NAT (HIDE
>NAT):
>----------------------------------------------------------------------------
>---------
>interface FastEthernet0/0
> ip address 206.120.120.2 255.255.255.0
> no ip directed-broadcast
> ip nat outside
>!
>interface FastEthernet0/1
> ip address 10.200.0.1 255.255.255.0
> no ip directed-broadcast
> ip nat inside
>!
>ip default-gateway 206.120.120.1
>ip nat inside source list 1 interface FastEthernet0/0 overload
>ip classless
>ip route 0.0.0.0 0.0.0.0 206.120.120.1
>no ip http server
>!
>access-list 1 permit 10.200.0.0 0.0.0.255
>----------------------------------------------------------------------------
>-------------
>4. The firewall has a static route sending it to router 2 for the
>206.120.120.0 network
>5. The following were added to the management $FWDIR/conf/objects.C file
>(not the FW)
>        at the :props section
>                :userc_NAT (true)
>                :userc_IKE_NAT (ture)
>        at the end of the definition for my gateway
>                :isakmp.udpencapsulation (
>                        :resource (
>                                :type (refobj)
>                                :refname ("#_VPN1_IPSEC_encapsulation")
>                        )
>                        :active (true)
>                )
>6. The VPN1_IPSEC_encapsulation service was created for port 2746
>7. The firewall rule is SecuRemoteUsers@Any to EncryptionDomain on Any
>service gets Client Encryption Action.  The users are allowed to send to and
>receive from Any at any time.
>-------------------------------------------------------------
>
>Now for the problem as perceived.  In the lab and in production, with the SC
>set as a static address (206.120.120.2) everything works fine, I see traffic
>talk to the management console on port 264, talk to the policy server on 500
>and then swtich to 2746.  I can access things as needed.  Now, put the box
>behind the router and give it a 10.200.0.2 address and I can update my
>topology and login to the policy server, getting authenticated fine.  I
>cannot however access any resources in the encryption domain.  On snooping
>interfaces, I see traffic from the SC to the firewall going on port 2746,
>then the requests going to the services in the encryption domain as
>10.200.0.2, and being replied to back into the firewall.  I see decrypts in
>the FW logs, but then no encrypts.  I see nothing leaving the firewall back
>towards the SC, or out any other interface of the firewall, either as the
>10.200.0.2, or the 206.120.120.2.  I don't get destiation unreachable or
>network unreachables sent back from the firewall, nor are any drops recorded
>in the logs.  The packets just disappear.  It seems as if the FW is losing
>the NAT in its table and simply dropping the packets.
>
>At this point, I am at a loss for how to find where the traffic is going, or
>what else to do to get things to work.  The docs on setting this up have me
>set things up on the management console, but I don't see the
>isakmp.udpencapsulation addition to the object on the firewalls objects.C.
>Should this be propogationg from the management console on install?  The
>VPN1_IPSEC_encapsulation service is defined  on the FW however.
>
> Any help would be greatly appreciated.  Sorry for all the info.  Thanks in
>advance.
>
>
>===============================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>===============================================
>
>

Steve Rielly
Security Engineer
Extranet Technologies Limited
Level 3, 60 Cook St, Auckland, New Zealand
P.O. Box 7726, Wellesley Street, Auckland, New Zealand
Ph: +, Mob: 025 835530 Fax: +===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.