Re: connecting to VPN from behind FW-1

[Tina Bird <tbird () precision-guesswork com>]

Is the VPN using IPsec with dynamic keying?  (i.e. ISAKMP/
IKE to build the security associations)  If so, is the FW-1
NAT also doing port translation of the outgoing connections?

The key negotiation protocol demands that the >>source port<<
of the connection request be UDP/500.  Most NAT devices break
that.  Last time I checked, Checkpoint's answer was to either
build a rule that changes address but not port, or to put
the client outside the NAT device.

Ugh.

cheers -- tbird

On Tue, 29 Aug 2000, Tim Iliff wrote:

> Date: Tue, 29 Aug 2000 12:34:54 -0400
> From: Tim Iliff <TIliff () Investprivate com>
> To: firewall-wizards () nfr net
> Subject: [fw-wiz] connecting to VPN from behind FW-1
>
> hello all,
>
> I am trying to connect to a VPN (behind FW-1 4.1) with securemote from a LAN
> behind a FW-1 NAT? The remote firewall is configured to allow connections
> from behind a NAT, but I can't figure out what needs to be done on my end.
> Do I need to install a VPN gateway on my firewall?
>
> I am trying to connect from an NT workstation behind a FW-1 4.1 firewall. 
> Securemote is 4.1 build 4157. 
>
> Any help would be greatly appreciated!
>
> Thanks 
> tim iliff
>
> _______________________________________________
> Firewall-wizards mailing list
> Firewall-wizards () nfr net
> http://www.nfr.net/mailman/listinfo/firewall-wizards

VPN:  http://kubarb.phsx.ukans.edu/~tbird/vpn.html
life: http://kubarb.phsx.ukans.edu/~tbird
work: http://www.counterpane.com


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards