Many thanks to everyone who responded to this issue.
Everyone's help is highly appreciated.
I let my upper management know that this will not work, oh well you cant win
them all...
Kind Regards,
Fabian J. Oliva
#Legal Notice#
"My opinions are my own, and not those of my client, employer, my brother,
anyone's brothers sister roommates cousin,
or anyone named Bill"
-----Original Message-----
From: Bob Brandt [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 28, 2000 3:02 PM
To: Oliva, Fabian J [Sprint]
Cc: [EMAIL PROTECTED]
Subject: Re: [FW1] Setting up Client IKE/IPSEC VPN to a Nortel Box
through FW-1
Yes, You will need to configure Static NAT for the user, and it must be the
same
static NAT for both the UDP 500 and IPSec flows.
You also will need to ensure that the remote end (Nortel Extranet) does not
use AH
(protocol 51) but just ESP (protocol 50). This
is because AH uses the entire IP header in its digital signature. If the
Checkpoint
NATs this header (which it will based on your note), the
AH digital signature will be invalidated by the Firewall because it changed
the
packet in flight which is a security violation in IPSec.
ESP, on the other hand, still provides a digital signature but it does not
include
the source IP as part of the digital signature, so it will
work even with the occurance of the checkpoint NAT.
Hope this helps.
Bob Brandt, 3M, [EMAIL PROTECTED]
"Oliva, Fabian J [Sprint]" wrote:
> Hello all,
>
> Im trying to configure (if possible) my firewall to allow a internal user
to
> establish a Nortel Extranet VPN session through my FW-1.
> I have some documentation that says to configure these 3 ports:
>
> UDP 500 for IKE Key Management
> IP Protocol 50 for IPSEC Payload Encryption
> IP Protocol 51 for IPSEC Authentication Header
>
> What is the syntax for configuring the two IP Protocols?
> Also the users is on a private address space that is configured HIDE-NAT
to
> the Internet.
> Would I have to configure static NAT for this to work?
>
> Thanks in advance for everyones help,
>
>
> Fabian J. Oliva
>
>
============================================================================
====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>
============================================================================
====
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
