| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] SecuRemote through NAT device???
Most of our users have a Linksys and are working fine. Make sure the
Linksys firmware is at 1.39 or higher (1.40.2 for Wireless Linksys). In
the Linksys, click on the Advanced tab and then look at Filtering and make
sure IPSec passthrough is enabled. Do not use port forwarding on the
Linksys to map ports. The newer firmware automatically sends IPSec traffic
back to the local PC that initiated the IPSec connection. Make sure that
the
:userc_NAT (true)
:userc_IKE_NAT (true)
are still set properly on the management station and that you push a policy
if you change them. Make sure that you have a SecuRemote license installed
on the firewall. Also, your firewall object must use the routable IP
address otherwise odd things can happen.
Keith White
"Hanke, Christian (DC)"
<[email protected]> To: [email protected]
Sent by: Mailing list for discussion cc:
of Firewall-1 Subject: [FW-1] SecuRemote through NAT device???
<[email protected]
point.com>
01/04/02 12:30 PM
Please respond to Mailing list for
discussion of Firewall-1
Been struggling with this for months now. Maybe one of you fine people can
point me in the right direction.
FW1 4.1 SP3 box with a private network behind it. Trying to connect though
SecuRemote and it works beautifully as long as the client isn't NAT'd. Add
a Linksys or Netgear router on the Client side for Internet connection
sharing / NAT and SecuRemote breaks. Update site and logon to site works
fine and with no errors. Once logged on though, no resources can be
accessed on the private network behind the firewall. Can't ping, see/open
shares, nothing. Interestingly, even when the NAT'd box is set up as DMZ,
(all packets pass through and forwarded to client with no filters),
SecuRemote still will not work. Only when the NAT device is removed from
the picture all together will SecuRemote function. I have followed the
instructions on Phoneboy's site about SecuRemote Client and NAT until I'm
blue in the face. In a nutshell, this is what he recommends.
HIDE NAT will only work correctly with IKE (it does not work with FWZ),
provided the following is true:
· Insure that UDP port 500 on your NAT gateway is mapped to the
SecuRemote client. FireWall-1 tries to communicate via this port.
· Make sure your NAT gateway can pass IPSEC traffic (IP Protocol 50)
if UDP Encapsulation is not used.
· If UDP Encapsulation Mode is used, make sure it can pass UDP Port
2746.
· If Gateway Clusters is used with UDP Encapsulation, you will need
to upgrade to FireWall-1 4.1 SP3 or later for this to work correctly
· Make sure that each HIDE NAT client is using a different IP
address. If two clients attempt to use SecuRemote and have the same
non-routable address, neither client will be able to access the internal
network correctly. Where this will commonly show up is if two or more
clients use the same NAT router with the default configuration. This
limitation will be removed in a futre feature pack of NG (Feature Pack 1
current as of this writing).
· Make sure that ESP mode is configured for the affected users in
their IKE Properties, encryption tab. AH will not work. This is generally
the default.
You will also need to modify objects.C on the management console. Edit
$FWDIR/conf/objects.C. For guidelines on editing objects.C, see How do I
Edit Objects.C? After the :props ( line, add or modify the following lines
so they read:
:userc_NAT (true)
:userc_IKE_NAT (true)
FireWall-1 4.1 SP2 and Secure Client 4.1 SP2 and later have a "UDP
Encapsulation" feature that uses UDP to encapsulate the encrypted data when
IKE is used. This more should be far more compatible with NAT devices as
all communication will occur over UDP instead of using IP Datagrams. Both
FireWall-1 4.1 SP2 and Secure Client 4.1 SP2 (and later) are required to
make use of this feature.
If UDP encapsulation does not work with the correct version of SecuRemote
installed on the client, you will need to manually enable UDP
Encapsulation. In NG, this is configurable in the GUI in the IKE
Properties, Advanced page. In FireWall-1 4.1, look for the section in your
$FWDIR/conf/objects.C that has your firewall or gateway cluster object. It
looks something like this (my object is called phoneboy-gc):
:isakmp.udpencapsulation (
:resource (
:type (refobj)
:refname
("
#_VPN1_IPSEC_encapsulation")
)
:active (true)
)
You will also need to create a service called VPN1_IPSEC_encapsulation, if
it does not exist. It is a UDP service, port 2746.
Needless to say, this does not work for me. Anybody out there experience
anything like this? Anyone have any idea what could be wrong here or
suggestions I could try? This has really been driving me crazy, as I
mentioned, it's been months that I've been unable to get this resolved and
I'm getting close to giving up and getting a VPN appliance. I've just read
too many other posts and articles about this working for people though so I
know it should work. Any input you could give me would be greatly
appreciated. I've hit a brick wall with this. Thanks,
Christian Hanke
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
