-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Better yet check out CP res. sk11682
- -GS - -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of chkp tech Sent: Friday, February 17, 2006 2:41 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Problems with a natted firewall NGX If changing the userc_IKE_NAT value didn't solve your problem, then I'd suggest you get an fw monitor and an ike debug from the gateway. With the ike debug you'll be able to see where in the process IKE fails and why. You might be able to see from the fw monitor which packet IKE fails with. 1) To debug ike, run the command: vpn debug ikeon 2) To turn on fw monitoring, run the command: fw monitor -o mon.out 3) To bring the tunnel back up Send traffic across the tunnel to initiate the tunnel 4) To stop the fw monitor, run the command: ctrl + c to stop the fw monitor 5) To turn Ike debugging off, run the command: vpn debug ikeoff Review the ike.elg with wordpad and the fw monitor with ethereal. Jason On 2/17/06, carlopmart <[EMAIL PROTECTED]> wrote: > > Hi all, > > i am trying to setup a vpn for securemote clients. My firewall is a > NGX HF02 under RHEL 3. This firewall is natted by ADSL router. Under > Smartcenter server I have activated UDP encapsulation (NAT traversal) > to establish vpns betwwen natted securemote clients and this firewall. > Well, this configuration does not works for me. > > Under SecuRemote userc.C config file I see this params: > > : (VPNHome.isildur > :obj ( > : (192.168.67.193) > ) > :keymanager ( > :type (refobj) > :refname ("#_VPNHome") > ) > :allowed_interface_ranges ( > : (192.168.67.193 > :allowed_range ( > : ( > :type > (machines_range) > :ipaddr_first ( > 0.0.0.0) > :ipaddr_last ( > 255.255.255.255) > ) > ) > :is_ext (true) > :is_natted (false) > ) > ) > :resolve_interface_ranges (true) > :ifaddrs ( > : (192.168.67.193) > : (172.16.76.6) > : (192.168.100.65) > > In this securemote configuration you will see this: is_natted > (false). How can I change this param under firewall, because is a > natted device ?? Do i need to use IKE over tcp to change this value?. > > Thanks for your help. > > -- > CL Martinez > carlopmart {at} gmail {d0t} com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= -----BEGIN PGP SIGNATURE----- Version: PGP Universal 2.0.5 iQEVAwUBQ/YsVFISzo1jkIXNAQg+Egf/TC40m6PXVHo3KnyqvKpCBPM9UHLARw21 zS0FgArdRebCkdUvz6Yitoo/mK9BP/DK3xTnOTmwhbnJm0LQB2H9hAQcr12qRu00 uPdrq3C5avKsJZUYJTBt/gd2iEMqFplXWDZA0SPMeXYcXTjDRhNN/tZO1u0x4lj8 mOuGlMkdn37kBLkVg7n/QEgwOwZzq3f1GaHK43gz7pjX1wlBtXRSsTtIvR+anaXK 81HB4NmPAnoC1tdoRRdAepzmbdjeDxJCDVKBjSj8IprPgqPd8yIXZ1jgRWX9jZiU d/BT7zdqTAQkQ3K0+KGIG6uc1jnIXw7XigphHPlcn3eooRbTzNKK0w== =yo5u -----END PGP SIGNATURE----- ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================