-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 The client has no way to know what IP you are natting the FW too since it is natted by a different device. I do not know if this works in NGX but with 4.1 you can change the IP here... : (VPNHome.isildur > :obj ( > : (192.168.67.193) > )
to reflect the natted IP and then the client would connect OK. There is an old .pdf on this here. http://www.spy-hunter.com/SecureClienttoaNATedFWfinal.pdf - -GS - -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of chkp tech Sent: Friday, February 17, 2006 2:41 PM To: [email protected] Subject: Re: [FW-1] Problems with a natted firewall NGX If changing the userc_IKE_NAT value didn't solve your problem, then I'd suggest you get an fw monitor and an ike debug from the gateway. With the ike debug you'll be able to see where in the process IKE fails and why. You might be able to see from the fw monitor which packet IKE fails with. 1) To debug ike, run the command: vpn debug ikeon 2) To turn on fw monitoring, run the command: fw monitor -o mon.out 3) To bring the tunnel back up Send traffic across the tunnel to initiate the tunnel 4) To stop the fw monitor, run the command: ctrl + c to stop the fw monitor 5) To turn Ike debugging off, run the command: vpn debug ikeoff Review the ike.elg with wordpad and the fw monitor with ethereal. Jason On 2/17/06, carlopmart <[EMAIL PROTECTED]> wrote: > > Hi all, > > i am trying to setup a vpn for securemote clients. My firewall is a > NGX HF02 under RHEL 3. This firewall is natted by ADSL router. Under > Smartcenter server I have activated UDP encapsulation (NAT traversal) > to establish vpns betwwen natted securemote clients and this firewall. > Well, this configuration does not works for me. > > Under SecuRemote userc.C config file I see this params: > > : (VPNHome.isildur > :obj ( > : (192.168.67.193) > ) > :keymanager ( > :type (refobj) > :refname ("#_VPNHome") > ) > :allowed_interface_ranges ( > : (192.168.67.193 > :allowed_range ( > : ( > :type > (machines_range) > :ipaddr_first ( > 0.0.0.0) > :ipaddr_last ( > 255.255.255.255) > ) > ) > :is_ext (true) > :is_natted (false) > ) > ) > :resolve_interface_ranges (true) > :ifaddrs ( > : (192.168.67.193) > : (172.16.76.6) > : (192.168.100.65) > > In this securemote configuration you will see this: is_natted > (false). How can I change this param under firewall, because is a > natted device ?? Do i need to use IKE over tcp to change this value?. > > Thanks for your help. > > -- > CL Martinez > carlopmart {at} gmail {d0t} com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= -----BEGIN PGP SIGNATURE----- Version: PGP Universal 2.0.5 iQEVAwUBQ/Yrj1ISzo1jkIXNAQinxggAkzFhU0ObP0JY8SvIOMluuFUUVERwe8g5 pKO3o3NOFkhm4KFqQE9DKhLlia+nu12Ox7XFEKoBim6PWnaBE7pPZismhY/SXz/o GVvuW/YxYum2L9E0voMu2b+ZuXcMi0gEp+ORcCWZidxUlbaI4gFt6A+6et84PKRg LSrIHqn6bukVFR0DZIh6tI+YaUS5dSmuLeFM8wHHGEPcQLr1KqKHuGd23zbIoVC5 LFN7Usqc95l03EJ/rbAZRuANh4b3Up48sPFZfL37zwCoU1rSCVyRi0ZXYzj3rGJG xzlkcUlrI9CbZS6hcpeg5h9+wO/AWtI0eBCQ1JhidDyzdTGkZIaP5Q== =gwRb -----END PGP SIGNATURE----- ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
