[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] SR 4165 + IKE + NAT = broken
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have recently upgraded to SR4156 and FW-1 4.1 SP2. All went smoothly until a couple of people tried logging on from home via their DSL connections. They authenticate OK, but cannot connect to resources. I can see the inbound packets, but the outbound packets are dropped at the firewalls internal interface under rule 0. The log entries follow this format (consistently). u1 = users external (valid) IP address u2 = users internal (RFC) address (192.168.1.45) fwe = firewall external interface fwi = firewall internal interface WINS = wins server DNS = dns server >Action Svc Src Dest Prot Rul S_Port Usr XSource XDst Info >authcrypt u1 0 rob >authenticated by IKE key inst u1 fwe > IKE Phase 1 key inst u1 fwe ip 0 > IKE Phase 2 accept u2 >rob w.x.y.z IP Pool bound decrypt nbname u2 WINS udp x >nbname rob w.x.y.z scheme IKE decrypt name u2 DNS udp x > 1047 rob w.x.y.z DNS scheme IKE drop 24625 fwi u1 50 0 > 27991 reason: local interface address spoofing The key to the problem seems to be the last entry - the internal interface of the firewall seems to be trying to send the IPSEC packet to the DSL user, and gets refused with the message 'local interface address spoofing'. The users side of the network looks like this: - --------192.168.1.45 ---------Valid IP | PC |---------------|DSL Rtr|------------ Internet - -------- 192.168.2.254--------- I know IKE isn't to blame, because I can use IKE on a dial-up connection. It appears to be a NAT issue. The DSL devices all NAT using the RFC1918 subnet 192.168.1.0. Has anybody else seen this behaviour, and what is the fix? Kind Regards, Craig Little BSc, CPD, CPI, SCJP, CCSA, CCSE Inter-Networking / Security Consultant Shell Services International Phone: +64 4 462 4661 Fax: +64 4 463 4060 Mobile: +64 21 37 5858 PGP Fingerprint F3CE 6EB2 6B1A 10EA E355 A157 8012 D53A 6AE5 962F mailto:[email protected] http://www.shellservices.com By default attachments are compressed in WinZip format. If you cannot read them, please contact you Help Desk to have the WinZip utility installed. WinZip can be downloaded for free at http://www.winzip.com. This e-mail message and attachments are confidential between the intended parties and may be subject to legal privilege. If you have received this e-mail in error, please advise the sender immediately and destroy the message and any attachments. If you are not the intended recipient you are notified that any use, distribution, amendment, copying or any action taken or omitted to be taken in reliance of this message or attachments is prohibited. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com> iQA/AwUBOdCceIAS1Tpq5ZYvEQI/UQCglFZCVZi/e89rxIZIyBZVoWvZki8An1m9 C3DcwFQl4+Y0Z0Jvk4LkAknn =4cuB -----END PGP SIGNATURE----- ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|