Unfortunately, I met both of the
requirements you mention below long ago. There is something else going on here
that I just can't put my finger on. It seems like it would be something
like what you mention below because it works fine without the NAT device but I'm
not so sure. I have been over every setting with a fine tooth comb dozens of
times.
I wonder if any of you fine people would
be amenable to sending me a copy of your Objects.c and maybe userc.c files?
Machine names and address changed of course to protect the innocent. I would
love to compare mine with someone's who has this working see if that
sheds any light on this mess. As always, I greatly appreciate all the responses
I've gotten regarding this nagging problem,
Christian
-----Original Message-----
From: Juan Concepcion
[mailto:[email protected]]
Sent: Tuesday, January 08, 2002 10:09 PM
To:
[email protected]
Subject: Re: [FW-1] SecuRemote
through NAT device???
Getting this to work is
simple; I have a Linksys sitting right by my side:
1. Make sure the router has latest firmware and supports IPSEC pass
through, most of them do by default think or you have to configure them to, and
also make sure to map port 2746 to your internal client, that's for the
UDP encapsulation.
2. Make sure the management station has two entries, userc_IKE_NAT (true), userc_NAT (true), although SP3 and above have this be default it's sometimes
set to false. Also if it was an
upgrade this entry will not be there.
Those are the basic
things to look for. If any of those
things are missing your configuration will most certainly not work.
-----Original Message-----
From: Mailing list for discussion
of Firewall-1 [mailto:[email protected]] On Behalf Of Hanke, Christian (DC)
Sent: Tuesday, January 08, 2002 4:55 PM
To:
[email protected]
Subject: Re: [FW-1] SecuRemote
through NAT device???
I guess
I have a couple of questions regarding this problem. Even though it works
without the client side NAT device, these questions are nagging at me.
1. Does
the Firewall box need to have some sort of connectivity with the resources in
question? For example, I can't open a share from my firewall box because I have
it locked down. I can however open a share through my box using securemote as
long as no NAT device is on the client side. Could this have something to do
with it? Does my FW1 box need to be able browse the internal network for some
reason?
2. When
my LMHosts gets updated by authentication with the FW1 box, it has no
information about the FW1 box itself. Only resources on the other side of the
box. The info for the FW1 box is contained in the topo right? So I shouldn't
need to have any of this in the LMHosts file right?
3. What
do I need to do to log all securemote activity on the client side?
All I
can think of right now. Thanks very much for any thoughts or ideas you may
have,
Christian
-----Original Message-----
From: Hanke, Christian (DC)
[mailto:[email protected]]
Sent: Friday, January 04, 2002 12:30 PM
To:
[email protected]
Subject: [FW-1] SecuRemote through
NAT device???
Been struggling with this for months now. Maybe one
of you fine people can point me in the right direction.
FW1 4.1 SP3 box with a private network behind it.
Trying to connect though SecuRemote and it works beautifully
as
long as the client isn't NAT'd. Add a Linksys or Netgear router on
the Client side for Internet connection sharing / NAT and SecuRemote breaks.
Update
site and logon to site works fine and with no errors. Once logged on though, no
resources can be accessed on the private network behind the firewall. Can't
ping, see/open shares, nothing. Interestingly, even when the NAT'd
box is set up as DMZ, (all packets pass through and forwarded to client
with no filters), SecuRemote still will not work. Only when the NAT device is
removed from the picture all together will SecuRemote function.
I have
followed the instructions on Phoneboy's site about SecuRemote Client and NAT
until I'm blue in the face. In a nutshell, this is what he
recommends.
HIDE NAT will only work correctly with IKE
(it does not work with FWZ), provided the following is true:
· Insure that UDP port 500 on your NAT
gateway is mapped to the SecuRemote client. FireWall-1 tries to communicate via
this port.
· Make sure your NAT gateway can pass IPSEC
traffic (IP Protocol 50) if UDP Encapsulation is not used.
· If UDP Encapsulation Mode is used, make
sure it can pass UDP Port 2746.
· If Gateway Clusters is used with UDP
Encapsulation, you will need to upgrade to FireWall-1 4.1 SP3 or later for this
to work correctly
· Make sure that each HIDE NAT client is
using a different IP address. If two clients attempt to use SecuRemote and have
the same non-routable address, neither client will be able to access the
internal network correctly. Where this will commonly show up is if two or more
clients use the same NAT router with the default configuration. This limitation
will be removed in a futre feature pack of NG (Feature Pack 1 current as of
this writing).
· Make sure that ESP mode is configured for
the affected users in their IKE Properties, encryption tab. AH will not work.
This is generally the default.
You will also need to modify objects.C on
the management console. Edit $FWDIR/conf/objects.C. For guidelines on editing
objects.C, see How do I Edit Objects.C? After the :props ( line, add or modify
the following lines so they read:
:userc_NAT (true)
:userc_IKE_NAT (true)
FireWall-1 4.1 SP2 and Secure Client 4.1 SP2
and later have a "UDP Encapsulation" feature that uses UDP to
encapsulate the encrypted data when IKE is used. This more should
be far more compatible with NAT devices as all communication will occur
over UDP instead of using IP Datagrams. Both FireWall-1 4.1 SP2 and
Secure Client 4.1 SP2 (and later) are required to make use of this feature.
If UDP encapsulation does not work with
the correct version of SecuRemote installed on the client, you will need to
manually enable UDP Encapsulation. In NG, this is configurable in the GUI in
the IKE Properties, Advanced page. In FireWall-1 4.1, look for the section in
your $FWDIR/conf/objects.C that has your firewall or gateway cluster
object. It looks something like this (my object is called phoneboy-gc):
:isakmp.udpencapsulation
(
:resource (
:type (refobj)
:refname
("#_VPN1_IPSEC_encapsulation")
)
:active (true)
)
You will also need to create a service
called VPN1_IPSEC_encapsulation, if it does not exist. It is a UDP service,
port 2746.
Needless to say, this does
not work for me. Anybody out there
experience anything like this? Anyone have any idea what could be wrong here or
suggestions I could try? This has really
been driving me crazy, as I mentioned, it's been months that I've been unable
to get this resolved and I'm getting close to giving up and getting a VPN
appliance. I've just read too many other posts and
articles about this working for
people though so I know it should work. Any input you could give me would be
greatly appreciated. I've hit a brick wall with this. Thanks,
Christian Hanke