Another Interesting piece
of the puzzle. If my memory serves me
correctly, when I look at the logs after trying to connect through a client side
NAT device, it shows successful authentication. I don't believe it shows
anything at all after that though. No dropped packets, no accepted packets, no
nothing. Thanks again for any input,
Christian
-----Original Message-----
From: Hanke, Christian (DC)
[mailto:[email protected]]
Sent: Friday, January 04, 2002
12:30 PM
To:
[email protected]
Subject: [FW-1] SecuRemote through
NAT device???
Been struggling with this for months now. Maybe one
of you fine people can point me in the right direction.
FW1 4.1 SP3 box with a private network behind it.
Trying to connect though SecuRemote and it works beautifully
as
long as the client isn't NAT'd. Add a Linksys or Netgear router on
the Client side for Internet connection sharing / NAT and SecuRemote breaks.
Update
site and logon to site works fine and with no errors. Once logged on though, no
resources can be accessed on the private network behind the firewall. Can't
ping, see/open shares, nothing. Interestingly, even when the NAT'd
box is set up as DMZ, (all packets pass through and forwarded to client
with no filters), SecuRemote still will not work. Only when the NAT device is
removed from the picture all together will SecuRemote function.
I have
followed the instructions on Phoneboy's site about SecuRemote Client and NAT
until I'm blue in the face. In a nutshell, this is what he
recommends.
HIDE NAT will only work correctly with IKE
(it does not work with FWZ), provided the following is true:
· Insure that UDP port 500 on your NAT
gateway is mapped to the SecuRemote client. FireWall-1 tries to communicate via
this port.
· Make sure your NAT gateway can pass IPSEC
traffic (IP Protocol 50) if UDP Encapsulation is not used.
·
If UDP Encapsulation Mode is used,
make sure it can pass UDP Port 2746.
·
If Gateway Clusters is used with
UDP Encapsulation, you will need to upgrade to FireWall-1 4.1 SP3 or later for
this to work correctly
· Make sure that each HIDE NAT client is
using a different IP address. If two clients attempt to use SecuRemote and have
the same non-routable address, neither client will be able to access the
internal network correctly. Where this will commonly show up is if two or more
clients use the same NAT router with the default configuration. This limitation
will be removed in a futre feature pack of NG (Feature Pack 1 current as of
this writing).
· Make sure that ESP mode is configured for
the affected users in their IKE Properties, encryption tab. AH will not work.
This is generally the default.
You will also need to modify objects.C on
the management console. Edit $FWDIR/conf/objects.C. For guidelines on editing
objects.C, see How do I Edit Objects.C? After the :props ( line, add or modify
the following lines so they read:
:userc_NAT (true)
:userc_IKE_NAT (true)
FireWall-1 4.1 SP2 and Secure Client 4.1
SP2 and later have a "UDP Encapsulation" feature that uses UDP to
encapsulate the encrypted data when IKE is used. This more should
be far more compatible with NAT devices as all communication will occur
over UDP instead of using IP Datagrams. Both FireWall-1 4.1 SP2 and
Secure Client 4.1 SP2 (and later) are required to make use of this feature.
If UDP encapsulation does not work with
the correct version of SecuRemote installed on the client, you will need to
manually enable UDP Encapsulation. In NG, this is configurable in the GUI in
the IKE Properties, Advanced page. In FireWall-1 4.1, look for the section in
your $FWDIR/conf/objects.C that has your firewall or gateway cluster
object. It looks something like this (my object is called phoneboy-gc):
:isakmp.udpencapsulation
(
:resource (
:type (refobj)
:refname
("#_VPN1_IPSEC_encapsulation")
)
:active (true)
)
You will also need to create a service
called VPN1_IPSEC_encapsulation, if it does not exist. It is a UDP service,
port 2746.
Needless to say, this
does not work for me. Anybody out there
experience anything like this? Anyone have any idea what could be wrong here or
suggestions I could try? This has really
been driving me crazy, as I mentioned, it's been months that I've been unable
to get this resolved and I'm getting close to giving up and getting a VPN
appliance. I've just read too many other posts and
articles about this working for
people though so I know it should work. Any input you could give me would be
greatly appreciated. I've hit a brick wall with this. Thanks,
Christian Hanke