Hi, I'm having trouble passing Checkpoing SecureRemote VPN sessions through my NATting IPF firewall cleanly. The IPF box is a Solaris 7 machine on sun4m hardware, running ipf 3.4.27. I've been using my Nortel Extranet VPN client through IPF successfully since the ipsec proxy patch came out at 3.4.14 and that's always worked fine. However I've recently been forced to add SecureRemote into the mix and have had problems.
Basically, the SecureRemote connections work initially but then stop working quickly. This is often indicative of a rekeying problem. What's odd is you can see many packets back and forth, between the client and VPN gateway, on 500/UDP, and it looks like they're talking. Then you'll get a bunch of these inbound on the external firewall interface: Dec 11 12:05:08 [10.10.1.1.128.112] ipmon[1165]: 12:05:08.040317 4x le0 @100:17 b x.x.x.x -> 172.16.1.224 PR udp len 20 (80) frag 60@1480 IN Dec 11 12:05:12 [10.10.1.1.128.112] ipmon[1165]: 12:05:12.116888 le0 @100:17 b x.x.x.x -> 172.16.1.224 PR udp len 20 (80) frag 60@1480 IN Dec 11 12:05:20 [10.10.1.1.128.112] ipmon[1165]: 12:05:20.287353 le0 @100:17 b x.x.x.x -> 172.16.1.224 PR udp len 20 (80) frag 60@1480 IN ...and the connection will die. This leaves me wondering, is the VPN gateway sending fragments, and if so, why? I have noticed that SR seems to "fall back" to some proprietary encapsulation over UDP technique. I saw that it was trying to talk to the VPN gateway on UDP/2746. Permitting those connections outbound seems to help a lot, actually, and would be perfect except I still get hung connections and the above fragmented packets. Can someone let me know if they have the SR VPN client working through a NATted IPF firewall, and if so, how did you do it. TIA, Jonathan [EMAIL PROTECTED]
