Re: [FW-1] Problems with a natted firewall NGX

Fri, 17 Feb 2006 11:48:19 -0800 

If changing the userc_IKE_NAT value didn't solve your problem, then I'd
suggest you get an fw monitor and an ike debug from the gateway.  With the
ike debug you'll be able to see where in the process IKE fails and why.  You
might be able to see from the fw monitor which packet IKE fails with.


1) To debug ike, run the command:
vpn debug ikeon

2) To turn on fw monitoring, run the command:
fw monitor -o mon.out

3) To bring the tunnel back up
Send traffic across the tunnel to initiate the tunnel

4) To stop the fw monitor, run the command:
ctrl + c to stop the fw monitor

5) To turn Ike debugging off, run the command:
vpn debug ikeoff
Review the ike.elg with wordpad and the fw monitor with ethereal.

Jason


On 2/17/06, carlopmart <[EMAIL PROTECTED]> wrote:
>
> Hi all,
>
> i am trying to setup a vpn for securemote clients. My firewall is a
> NGX HF02 under RHEL 3. This firewall is natted by ADSL router. Under
> Smartcenter server I have activated UDP encapsulation (NAT traversal)
> to establish vpns betwwen natted securemote clients and this firewall.
> Well, this configuration does not works for me.
>
> Under SecuRemote userc.C config file I see this params:
>
> : (VPNHome.isildur
>        :obj (
>                : (192.168.67.193)
>                        )
>                        :keymanager (
>                                :type (refobj)
>                                :refname ("#_VPNHome")
>                        )
>                        :allowed_interface_ranges (
>                                : (192.168.67.193
>                                        :allowed_range (
>                                                : (
>                                                        :type
> (machines_range)
>                                                        :ipaddr_first (
> 0.0.0.0)
>                                                        :ipaddr_last (
> 255.255.255.255)
>                                                )
>                                        )
>                                        :is_ext (true)
>                                        :is_natted (false)
>                                )
>                        )
>                        :resolve_interface_ranges (true)
>                        :ifaddrs (
>                                : (192.168.67.193)
>                                : (172.16.76.6)
>                                : (192.168.100.65)
>
> In this securemote configuration you will see this: is_natted
> (false). How can I change this param under firewall, because is a
> natted device ?? Do i need to use IKE over tcp to change this value?.
>
> Thanks for your help.
>
> --
> CL Martinez
> carlopmart {at} gmail {d0t} com

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

Reply via email to