Firewall Wizards mailing list archives
IPSEC Traffic blocked?
From: "Aram Smith" <aram.smith () appiancorp com>
Date: Fri, 12 Dec 2003 10:17:26 -0500
I have recently implemented a Netscreen 50 and have Dial Up VPN clients successfully connecting to it via an AutoIKE policy using NAT-T. Some clients are connecting from behind residential routers successfully. The only ones that have had to make firewall adjustments are the ones behind the Dlink routers. Some of these same clients that can connect from home and other places are unable to connect from one location that is inside a checkpoint router. Here is what shows in the logs of the the client after he activates the policy and tries pinging a computer on our LAN: 12-04: 13:28:32.123 My Connections\Company_Auto - Initiating IKE Phase 1 (IP ADDR=<our gateway IP>) 12-04: 13:28:33.445 My Connections\Company_Auto - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 5x) 12-04: 13:28:33.555 My Connections\Company_Auto - RECEIVED<<< ISAKMP OAK AG (SA, VID 2x, KE, NON, ID, HASH, VID, NAT-D 2x) 12-04: 13:28:33.555 My Connections\Company_Auto - Peer is NAT-T draft-01 capable 12-04: 13:28:33.786 My Connections\Company_Auto - SENDING>>>> ISAKMP OAK AG *(HASH, NAT-D 2x, NOTIFY:STATUS_INITIAL_CONTACT) 12-04: 13:28:33.786 My Connections\Company_Auto - Established IKE SA 12-04: 13:28:33.786 MY COOKIE <cookie here> 12-04: 13:28:33.786 HIS COOKIE cookie here> 12-04: 13:28:34.727 Error creating Virtual Interface for local interface 140.183.86.32, err=RASSTATUS_NO_PROTOCOLS (**we attempted to add a virt int) 12-04: 13:28:34.777 My Connections\Company_Auto - Initiating IKE Phase 2 with Client IDs (message id: <id here>) 12-04: 13:28:34.777 Initiator = IP ADDR=<user's IP>, prot = 0 port = 0 12-04: 13:28:34.777 Responder = IP SUBNET/MASK=<our subnet>, prot = 0 port = 0 12-04: 13:28:34.777 My Connections\Company_Auto - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, ID 2x) 12-04: 13:28:34.837 My Connections\Company_Auto - RECEIVED<<< ISAKMP OAK QM *(HASH, SA, NON, ID 2x, NOTIFY:STATUS_RESP_LIFETIME) 12-04: 13:28:34.837 My Connections\Company_Auto - SENDING>>>> ISAKMP OAK QM *(HASH) 12-04: 13:28:34.837 My Connections\Company_Auto - Loading IPSec SA (Message ID = <ID> OUTBOUND SPI = <SPI> INBOUND SPI = <SPI>) 12-04: 13:28:34.837 Nothing comes up after that last entry. It appears to us that inbound IPSEC traffic is being denied by the checkpoint router. Their IT dept has stated that they are unable to make a policy allowing the inbound IPSEC traffic. To me it appears to be a dead issue then, but I was wondering if anyone had any suggestions on how we can overcome this? Thanks in advance for any help. Aram Smith _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- IPSEC Traffic blocked? Aram Smith (Dec 12)