Been struggling with this for months
now. Maybe one of you fine people can point me
in the right direction.
FW1 4.1 SP3 box with a private network
behind it. Trying to connect though SecuRemote
and it works beautifully as long as the client isn't NAT'd. Add a Linksys or Netgear
router on the Client side for Internet connection
sharing / NAT and SecuRemote breaks. Update
site and logon to site works fine and with no errors. Once logged on though,
no resources can be accessed on the private
network behind the firewall. Can't ping, see/open shares,
nothing. Interestingly, even when the
NAT'd box is set up as DMZ, (all packets pass through
and forwarded to client with no
filters), SecuRemote still will not work. Only
when the NAT device is removed from the picture all together will
SecuRemote function. I have
followed the instructions on Phoneboy's site about SecuRemote
Client and NAT until I'm blue in the face. In
a nutshell, this is what he recommends.
HIDE NAT will only work correctly with IKE
(it does not work with FWZ), provided the following is true:
· Insure that UDP port 500 on your NAT gateway is mapped to the
SecuRemote client. FireWall-1 tries to communicate via this port.
· Make sure your NAT gateway can pass IPSEC traffic (IP Protocol
50) if UDP Encapsulation is not used.
· If UDP Encapsulation Mode is used, make sure it can pass UDP
Port 2746.
· If Gateway Clusters is used with UDP Encapsulation, you will
need to upgrade to FireWall-1 4.1 SP3 or later for this to work correctly
· Make sure that each HIDE NAT client is using a different IP
address. If two clients attempt to use SecuRemote and have the same
non-routable address, neither client will be able to access the internal
network correctly. Where this will commonly show up is if two or more clients
use the same NAT router with the default configuration. This limitation will
be removed in a futre feature pack of NG (Feature Pack 1 current as of this
writing).
· Make sure that ESP mode is configured for the affected users in
their IKE Properties, encryption tab. AH will not work. This is generally the
default.
You will also need to modify objects.C on
the management console. Edit $FWDIR/conf/objects.C. For guidelines on editing
objects.C, see How
do I Edit Objects.C? After the :props (
line, add or modify the following lines so they read:
:userc_NAT (true)
:userc_IKE_NAT (true)
FireWall-1 4.1 SP2 and Secure Client 4.1 SP2
and later have a "UDP Encapsulation" feature that uses UDP to encapsulate the
encrypted data when IKE is used. This more should be far more
compatible with NAT devices as all communication will occur over UDP
instead of using IP Datagrams. Both FireWall-1 4.1 SP2 and Secure Client
4.1 SP2 (and later) are required to make use of this feature.
If UDP encapsulation does not work with the
correct version of SecuRemote installed on the client, you will need to
manually enable UDP Encapsulation. In NG, this is configurable in the GUI in
the IKE Properties, Advanced page. In FireWall-1 4.1, look for the section in
your $FWDIR/conf/objects.C that has your firewall or gateway cluster
object. It looks something like this (my object is called
phoneboy-gc):
:isakmp.udpencapsulation (
:resource (
:type (refobj)
:refname
("#_VPN1_IPSEC_encapsulation")
)
:active (true)
)
You will also need to create a service
called VPN1_IPSEC_encapsulation, if it does not exist. It is a UDP service,
port 2746.
Needless to say, this does
not work for me. Anybody out
there experience anything like this? Anyone have any idea what could be wrong
here or suggestions I could try? This has really been driving me crazy, as I mentioned,
it's been months that I've been unable to get
this resolved and I'm getting close to giving up and getting a VPN
appliance. I've just read too many other posts and articles about this working for people though so I know it should
work. Any input you could give me
would be greatly
appreciated. I've hit a brick wall with
this. Thanks,
Christian
Hanke