Been struggling with this for months
now. Maybe one of you fine people can point
me in the right direction.
FW1 4.1 SP3 box with a private network
behind it. Trying to connect though
SecuRemote and it works beautifully as long as the client isn't NAT'd. Add a Linksys or Netgear router on the Client side for Internet connection sharing / NAT and
SecuRemote breaks. Update site and logon to
site works fine and with no errors. Once logged on though, no resources can
be accessed on the private network behind the
firewall. Can't ping, see/open shares,
nothing. Interestingly, even when the
NAT'd box is set up as DMZ, (all packets pass through
and forwarded to client with no
filters), SecuRemote still will not work.
Only when the NAT device is removed from the picture all together will
SecuRemote function. I
have followed the instructions on Phoneboy's site about SecuRemote
Client and NAT until I'm blue in the face. In a nutshell, this is what he recommends.
HIDE NAT will only work correctly with IKE
(it does not work with FWZ), provided the following is true:
· Insure that UDP port 500 on your NAT gateway is mapped to the
SecuRemote client. FireWall-1 tries to communicate via this port.
· Make sure your NAT gateway can pass IPSEC traffic (IP Protocol
50) if UDP Encapsulation is not used.
· If UDP Encapsulation Mode is used, make sure it can pass UDP
Port 2746.
· If Gateway Clusters is used with UDP Encapsulation, you will
need to upgrade to FireWall-1 4.1 SP3 or later for this to work correctly
· Make sure that each HIDE NAT client is using a different IP
address. If two clients attempt to use SecuRemote and have the same
non-routable address, neither client will be able to access the internal
network correctly. Where this will commonly show up is if two or more
clients use the same NAT router with the default configuration. This
limitation will be removed in a futre feature pack of NG (Feature Pack 1
current as of this writing).
· Make sure that ESP mode is configured for the affected users
in their IKE Properties, encryption tab. AH will not work. This is generally
the default.
You will also need to modify objects.C on
the management console. Edit $FWDIR/conf/objects.C. For guidelines on
editing objects.C, see How do I Edit Objects.C?
After the :props ( line, add or modify the following lines so they
read:
:userc_NAT (true)
:userc_IKE_NAT (true)
FireWall-1 4.1 SP2 and Secure Client 4.1
SP2 and later have a "UDP Encapsulation" feature that uses UDP to
encapsulate the encrypted data when IKE is used. This more
should be far more compatible with NAT devices as all communication
will occur over UDP instead of using IP Datagrams. Both FireWall-1 4.1
SP2 and Secure Client 4.1 SP2 (and later) are required to make use of
this feature.
If UDP encapsulation does not work with
the correct version of SecuRemote installed on the client, you will need to
manually enable UDP Encapsulation. In NG, this is configurable in the GUI in
the IKE Properties, Advanced page. In FireWall-1 4.1, look for the section
in your $FWDIR/conf/objects.C that has your firewall or gateway
cluster object. It looks something like this (my object is called
phoneboy-gc):
:isakmp.udpencapsulation (
:resource (
:type (refobj)
:refname
("#_VPN1_IPSEC_encapsulation")
)
:active (true)
)
You will also need to create a service
called VPN1_IPSEC_encapsulation, if it does not exist. It is a UDP service,
port 2746.
Needless to say, this
does not work for me. Anybody
out there experience anything like this? Anyone have any idea what could be
wrong here or suggestions I could try? This has really been driving me
crazy, as I mentioned, it's been months that
I've been unable to get this resolved and I'm getting close to giving up and getting a VPN appliance. I've just read too many other posts and articles about this
working for people though so I know it should work. Any input you could give me would be greatly appreciated.
I've hit a brick wall with this. Thanks,
Christian
Hanke