Hi Steve,
I think as far as fw-1 is concerned the Nat-t & Udp encapsulation are a single
option thats to be enabled on the Enforcement module -> VPN -> VPN Advanced ->
Support Nat traversal Mechanism ( UDP encapsulation) & the default port is 2746.
If the vpnserver is not enabled as shown above i guess enabling the client is
of no help & for esp exchange to happen it will require one-to-one nat. I
believe the o/p below showing the source port for isakmp not changing from 500
is coz you are viewing it during a one-to-one nat on your local firewall.
Regards,
Tinu Koshy.
-----Original Message-----
From: Steven S. [mailto:ssurdock AT ENGINEERED-NET DOT COM]
Sent: 02 November 2004 21:14
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] VPN client through FW-1 NG AI R55
Greetings,
I'm trying to use an AT&T supplied VPN client through our internal FW to
connect to an AT&T controlled VPN server. The VPN is established but I
can't fully communicate unless I configure a one-to-one NAT. The client is
configured to use UDP encapsulation, but it's not used by the client.
During the ISAKMP negotiation I see that FW-1 does not changed the source
port of the negotiations (UDP 500 <--> UDP 500). I believe this is
confusing the remote VPN server (which I suspect is looking for a NAT-T type
translation) and it is not requesting UDP encapsulation.
Anyone see this before (I've had no luck in the archives.)
Does anyone know of a way to force FW-1 to perform source port translation
on ISAKMP negotiation?
Thanks,
-Steve S.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
This e-mail has been scanned for viruses by the Cable & Wireless e-mail
security system - powered by MessageLabs. For more information on a proactive
managed e-mail security service, visit http://www.cw.com/uk/emailprotection/
The information contained in this e-mail is confidential and may also be
subject to legal privilege. It is intended only for the recipient(s) named
above. If you are not named above as a recipient, you must not read, copy,
disclose, forward or otherwise use the information contained in this email. If
you have received this e-mail in error, please notify the sender (whose contact
details are above) immediately by reply e-mail and delete the message and any
attachments without retaining any copies.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
