Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

IPSEC Traffic blocked?

From: "Aram Smith" <aram.smith () appiancorp com>
Date: Fri, 12 Dec 2003 10:17:26 -0500
I have recently implemented a Netscreen 50 and have Dial Up VPN clients successfully connecting to it via an AutoIKE 
policy using NAT-T. Some clients are connecting from behind residential routers successfully. The only ones that have 
had to make firewall adjustments are the ones behind the Dlink routers. Some of these same clients that can connect 
from home and other places are unable to connect from one location that is inside a checkpoint router. Here is what 
shows in the logs of the the client after he activates the policy and tries pinging a computer on our LAN:

12-04: 13:28:32.123 My Connections\Company_Auto - Initiating IKE Phase 1 (IP ADDR=<our gateway IP>)
12-04: 13:28:33.445 My Connections\Company_Auto - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 5x)
12-04: 13:28:33.555 My Connections\Company_Auto - RECEIVED<<< ISAKMP OAK AG (SA, VID 2x, KE, NON, ID, HASH, VID, NAT-D 
2x)
12-04: 13:28:33.555 My Connections\Company_Auto - Peer is NAT-T draft-01 capable
12-04: 13:28:33.786 My Connections\Company_Auto - SENDING>>>> ISAKMP OAK AG *(HASH, NAT-D 2x, 
NOTIFY:STATUS_INITIAL_CONTACT)
12-04: 13:28:33.786 My Connections\Company_Auto - Established IKE SA
12-04: 13:28:33.786    MY COOKIE <cookie here>
12-04: 13:28:33.786    HIS COOKIE cookie here>
12-04: 13:28:34.727 Error creating Virtual Interface for local interface 140.183.86.32, err=RASSTATUS_NO_PROTOCOLS 
(**we attempted to add a virt int)
12-04: 13:28:34.777 My Connections\Company_Auto - Initiating IKE Phase 2 with Client IDs (message id: <id here>)
12-04: 13:28:34.777   Initiator = IP ADDR=<user's IP>, prot = 0 port = 0
12-04: 13:28:34.777   Responder = IP SUBNET/MASK=<our subnet>, prot = 0 port = 0
12-04: 13:28:34.777 My Connections\Company_Auto - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, ID 2x)
12-04: 13:28:34.837 My Connections\Company_Auto - RECEIVED<<< ISAKMP OAK QM *(HASH, SA, NON, ID 2x, 
NOTIFY:STATUS_RESP_LIFETIME)
12-04: 13:28:34.837 My Connections\Company_Auto - SENDING>>>> ISAKMP OAK QM *(HASH)
12-04: 13:28:34.837 My Connections\Company_Auto - Loading IPSec SA (Message ID = <ID> OUTBOUND SPI = <SPI> INBOUND SPI 
= <SPI>)
12-04: 13:28:34.837  
 
Nothing comes up after that last entry. It appears to us that inbound IPSEC traffic is being denied by the checkpoint 
router. Their IT dept has stated that they are unable to make a policy allowing the inbound IPSEC traffic.  To me it 
appears to be a dead issue then, but I was wondering if anyone had any suggestions on how we can overcome this? Thanks 
in advance for any help. 

Aram Smith
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: