[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] DSL and Secure remote
No, the firewall's objects.C needs to be hacked... <SNIP FROM PHONEBOY ARCHIVE-http://www.phoneboy.com/fw1/faq/0141.html> FireWall-1 4.1 SP2 and Secure Client 4.1 SP2 and later have a "UDP Encapsulation" feature that uses UDP to encapsulate the encrypted data when IKE is used. This more should be far more compatible with NAT devices as all communication will occur over UDP instaed of using IP Datagrams. Both FireWall-1 4.1 SP2 and Secure Client 4.1 SP2 are available. Add the following to the section in $FWDIR/conf/objects.C :isakmp.udpencapsulation ( :resource ( :type (refobj) :refname ("#_VPN1_IPSEC_encapsulation") ) :active (true) ) You will also need to create a network object called VPN1_IPSEC_encapsulation. It is a service of type UDP, port 2746. By default, FireWall-1 4.1 SP2 and later that has had these changes made will invoke this mode if the UDP port 500 packet coming from the SecuRemote client has a source port that is not port 500. This mode can be forced on the client by going into userc.C on the Secure Client and adding the following under the options section: :force_udp_encapsulation (true) It can also be disabled entirely on the firewall by changing :active to "false" instead of true in the above objects.C modification. <END SNIP> Chris Jarrett Goetz wrote: > > > Is that the only setting you actually changed to get it to work? > > What are you using securemote 'behind'? > > Thanks Chris. > > Jarrett > > -----Original Message----- > From: Chris Trudeau [mailto:[email protected]] > Sent: Saturday, September 16, 2000 11:45 > To: Travis Guinn > Cc: 'Guillaume, Reginald'; Worldwide Support (E-mail) > Subject: Re: [FW1] DSL and Secure remote > > > > 4.2SP2 works with SR 4165. enable force_udp_encapsulation (true) > > Works beautifully... > > > > Travis Guinn wrote: > > > If you are using NAT with your DSL modem you may have a very tough > > time getting SR to work. It was said that version 4.1 SP2 and the > > latest SR will work behind a NATed device but I have not seen it > yet. > > Other wise I don't think SR will work from behind any other router > or > > firewall performing NAT or masquerading.HTH Travis Guinn > > MCSE/CCSE/CCA/A+ > > Data Transit, Intl - Dallas > > 1999 #1 Citrix Integrator Nationwide > > vf> > > > -----Original Message----- > > From: Guillaume, Reginald [mailto:[email protected]] > > Sent: Friday, September 15, 2000 6:17 PM > > To: Worldwide Support (E-mail) > > Subject: [FW1] DSL and Secure remote > > Sensitivity: Personal > > > > Hello there, Do you guys knows of any "DSL Router > > Modems" that would work perfectly with secure remote. I've > > Been using a routing softwarecalled freesco acting like a > > Cisco router using "IP masquerading" andI am not getting > > thru using FWZ even with all the needed ports(udp259,500- > > tcp256,264 and protocol 94,50,51) open. ALL > > INPUTS WILL BE APPRECIATED, Thanks. > > > > > = > ============================================================================== > > To unsubscribe from this mailing list, please see the > instructions at > http://www.checkpoint.com/services/mailing.html > > =============================================================================== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|