Re: IPSec VPN using Symantec VPN Appliances

["Larry Youngquist" <lyoungquist () hotmail com>]

Nope.  No NAT'ing.   The CP is just acting as a filter.   The WAN port of
the VPN device is a public IP address.

We're in the process of applying new firmware onto the Symantec/Nexland
boxes and hoping that helps.

Larry


> Subject: Re: [fw-wiz] IPSec VPN using Symantec VPN Appliances
> From: 1337 h4x0r <scouser () paradise net nz>
> To: Larry Youngquist <lyoungquist () hotmail com>
> Cc: Firewall Wizards <firewall-wizards () honor icsalabs com>
> Date: 11 Sep 2002 00:01:34 +1200
>
> Dumn question I know but you are not natting behind the FW-1 box are
> you?
>
> ;-)
> On Tue, 2002-09-10 at 06:25, Larry Youngquist wrote:
> > We're trying to establish a IPSec VPN tunnel between two Symantec VPN
> > appliances and receiving an error after the tunnel has been established.
I
> > have one unit on a screened subnet sitting behind a Checkpoint NG
firewall
> > and another on a public interface.   The Checkpoing NG firewall has a
policy
> > of allowing IPSec through it (UDP 500, IP 50 and IP 51).
> >
> > The negotiation between the two devices starts and the ISAKMP and IPSec
SA's
> > are established.   But almost immediately, I get an error message from
the
> > one end that states, "ERR:size (300) differs from size specified in
ISAKMP
> > HDR (40) (null): Unequal_Payload_Lengths".   The connection is then
> > terminated.
> >
> > Is it possible that the firewall is modifying the packets as they pass
> > through?
> >
> > We're using a pre-shared secret and tested these units in the lab with
only
> > a router between them.
> >
> > Thanks in advance,
> >
> > Larry

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards