NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] SecuRemote through NAT device???

Title: SecuRemote through NAT device???

 

Another Interesting piece of the puzzle. If my memory serves me correctly, when I look at the logs after trying to connect through a client side NAT device, it shows successful authentication. I don't believe it shows anything at all after that though. No dropped packets, no accepted packets, no nothing. Thanks again for any input,

 

Christian

 

-----Original Message-----
From: Hanke, Christian (DC) [mailto:[email protected]]
Sent: Friday, January 04, 2002 12:30 PM
To: [email protected]
Subject: [FW-1] SecuRemote through NAT device???

 

 

Been struggling with this for months now. Maybe one of you fine people can point me in the right direction.

FW1 4.1 SP3 box with a private network behind it. Trying to connect though SecuRemote and it works beautifully as long as the client isn't NAT'd. Add a Linksys or Netgear router on the Client side for Internet connection sharing / NAT and SecuRemote breaks. Update site and logon to site works fine and with no errors. Once logged on though, no resources can be accessed on the private network behind the firewall. Can't ping, see/open shares, nothing. Interestingly, even when the NAT'd box is set up as DMZ, (all packets pass through and forwarded to client with no filters), SecuRemote still will not work. Only when the NAT device is removed from the picture all together will SecuRemote function. I have followed the instructions on Phoneboy's site about SecuRemote Client and NAT until I'm blue in the face. In a nutshell, this is what he recommends.

HIDE NAT will only work correctly with IKE (it does not work with FWZ), provided the following is true:       

·       Insure that UDP port 500 on your NAT gateway is mapped to the SecuRemote client. FireWall-1 tries to communicate via this port.

·       Make sure your NAT gateway can pass IPSEC traffic (IP Protocol 50) if UDP Encapsulation is not used.
·       If UDP Encapsulation Mode is used, make sure it can pass UDP Port 2746.
·       If Gateway Clusters is used with UDP Encapsulation, you will need to upgrade to FireWall-1 4.1 SP3 or later for this to work correctly

·       Make sure that each HIDE NAT client is using a different IP address. If two clients attempt to use SecuRemote and have the same non-routable address, neither client will be able to access the internal network correctly. Where this will commonly show up is if two or more clients use the same NAT router with the default configuration. This limitation will be removed in a futre feature pack of NG (Feature Pack 1 current as of this writing).

·       Make sure that ESP mode is configured for the affected users in their IKE Properties, encryption tab. AH will not work. This is generally the default.

You will also need to modify objects.C on the management console. Edit $FWDIR/conf/objects.C. For guidelines on editing objects.C, see How do I Edit Objects.C? After the :props ( line, add or modify the  following lines so they read: 

                :userc_NAT (true)

                :userc_IKE_NAT (true)

FireWall-1 4.1 SP2 and Secure Client 4.1 SP2 and later have a "UDP Encapsulation" feature that uses UDP to encapsulate the encrypted data when  IKE is used.   This more should be far more compatible with NAT devices as all communication  will occur over UDP instead of using IP Datagrams. Both FireWall-1 4.1 SP2  and Secure Client 4.1 SP2 (and later) are required to make use of this feature.

If UDP encapsulation does not work with the correct version of SecuRemote installed on the client, you will need to manually enable UDP Encapsulation. In NG, this is configurable in the GUI in the IKE Properties, Advanced page. In FireWall-1 4.1, look for the section in your  $FWDIR/conf/objects.C that has your firewall or gateway cluster object. It looks something like this (my object is called phoneboy-gc):

:isakmp.udpencapsulation (

                                :resource (

                                      :type (refobj)

                                       :refname

                                               ("#_VPN1_IPSEC_encapsulation")

                                )

                                :active (true)

                        )

You will also need to create a service called VPN1_IPSEC_encapsulation, if it does not exist. It is a UDP service, port 2746.

Needless to say, this does not work for me. Anybody out there experience anything like this? Anyone have any idea what could be wrong here or suggestions I could try? This has really been driving me crazy, as I mentioned, it's been months that I've been unable to get this resolved and I'm getting close to giving up and getting a VPN appliance. I've just read too many other posts and articles about this working for people though so I know it should work. Any input you could give me would be greatly appreciated. I've hit a brick wall with this. Thanks,

Christian Hanke

 


  
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.