NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] SecureRemote/NAT ..so close



We don't have IPv6 enabled, but did verify that within reasonable time,
reverse traffic (from the encryption domain to the SC), packets do get
encrypted.

We have recently discovered however, packets heading out the wrong interface
and therefore never returning to the network of origin.  This is strange
behavior because in a simpler scenario, we took out router2 below and put
the nat'd address on the same subnet as the FW.  It has a local interface to
that network (qfe0) but still sends the packet out its default interface
(hme0).  Both the qfe0 that should have all the traffic, and the hem0 where
the traffic is actually going, have static arp tables, and a netstat -rn
seems to show routing is fine, but packets still go astray.

Which would bring me to the question, in VPN connections to the firewall,
does it default its end with the external interface, in this case causing me
issue because I have a test lab using an internal interface?

-----Original Message-----
From: Steve R [mailto:[email protected]]
Sent: Tuesday, October 16, 2001 2:36 PM
To: [email protected]
Subject: Re: [FW-1] SecureRemote/NAT ..so close


Im getting very much the same result BUT I get an entry in the log after key
exchange:

A drop by rule0 for IPv6 with info of 'decrypt failure: authentication
failure scheme : IKE'
I'm in the process of finding out what this means.

If I try and ping back through the tunnel to the securemote client I get the
encrypt, but no
decrypt, I do see the UDP encapsulation packets going back to the NAT device
infront of the
securemote client, but nothing back in the other direction.

        SteveR


10/17/01 6:46:44 AM, Brian Noecker <[email protected]> wrote:

>Ok, I need some help with the old SecureRemote behind a NAT device trick.
>Here's my setup:
>
>1. FW server: VPN-1(TM) & FireWall-1(R) Version 4.1 Build 41862 [VPN + DES
+
>STRONG] Solaris 2.7
>    FW Management console:  VPN-1(TM) & FireWall-1(R) Version 4.1 Build
>41862 [VPN + DES + STRONG] Solaris 2.7
>    SecurClient SP4 build 4185 on Win2000.  IKE over TCP, and Force
>UDP_encapsulation set.  Only IKE is being used (preshared secrets)
>
>2. Here's the test lab layout:
>
>SC ------router1---------router2----------Firewall-----FW_Management and
>other Resources in the Encryption domain.
>
>3. The routers are both cisco 2621s and here is the setup of the NAT (HIDE
>NAT):
>---------------------------------------------------------------------------
-
>---------
>interface FastEthernet0/0
> ip address 206.120.120.2 255.255.255.0
> no ip directed-broadcast
> ip nat outside
>!
>interface FastEthernet0/1
> ip address 10.200.0.1 255.255.255.0
> no ip directed-broadcast
> ip nat inside
>!
>ip default-gateway 206.120.120.1
>ip nat inside source list 1 interface FastEthernet0/0 overload
>ip classless
>ip route 0.0.0.0 0.0.0.0 206.120.120.1
>no ip http server
>!
>access-list 1 permit 10.200.0.0 0.0.0.255
>---------------------------------------------------------------------------
-
>-------------
>4. The firewall has a static route sending it to router 2 for the
>206.120.120.0 network
>5. The following were added to the management $FWDIR/conf/objects.C file
>(not the FW)
>        at the :props section
>                :userc_NAT (true)
>                :userc_IKE_NAT (ture)
>        at the end of the definition for my gateway
>                :isakmp.udpencapsulation (
>                        :resource (
>                                :type (refobj)
>                                :refname ("#_VPN1_IPSEC_encapsulation")
>                        )
>                        :active (true)
>                )
>6. The VPN1_IPSEC_encapsulation service was created for port 2746
>7. The firewall rule is SecuRemoteUsers@Any to EncryptionDomain on Any
>service gets Client Encryption Action.  The users are allowed to send to
and
>receive from Any at any time.
>-------------------------------------------------------------
>
>Now for the problem as perceived.  In the lab and in production, with the
SC
>set as a static address (206.120.120.2) everything works fine, I see
traffic
>talk to the management console on port 264, talk to the policy server on
500
>and then swtich to 2746.  I can access things as needed.  Now, put the box
>behind the router and give it a 10.200.0.2 address and I can update my
>topology and login to the policy server, getting authenticated fine.  I
>cannot however access any resources in the encryption domain.  On snooping
>interfaces, I see traffic from the SC to the firewall going on port 2746,
>then the requests going to the services in the encryption domain as
>10.200.0.2, and being replied to back into the firewall.  I see decrypts in
>the FW logs, but then no encrypts.  I see nothing leaving the firewall back
>towards the SC, or out any other interface of the firewall, either as the
>10.200.0.2, or the 206.120.120.2.  I don't get destiation unreachable or
>network unreachables sent back from the firewall, nor are any drops
recorded
>in the logs.  The packets just disappear.  It seems as if the FW is losing
>the NAT in its table and simply dropping the packets.
>
>At this point, I am at a loss for how to find where the traffic is going,
or
>what else to do to get things to work.  The docs on setting this up have me
>set things up on the management console, but I don't see the
>isakmp.udpencapsulation addition to the object on the firewalls objects.C.
>Should this be propogationg from the management console on install?  The
>VPN1_IPSEC_encapsulation service is defined  on the FW however.
>
> Any help would be greatly appreciated.  Sorry for all the info.  Thanks in
>advance.
>
>
>===============================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>===============================================
>
>

Steve Rielly
Security Engineer
Extranet Technologies Limited
Level 3, 60 Cook St, Auckland, New Zealand
P.O. Box 7726, Wellesley Street, Auckland, New Zealand
Ph: +, Mob: 025 835530 Fax: +===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.