Prev: High Speed / Firewall
Next: TIVO TCP scan
From: Leythos on 12 Jun 2010 09:55
In article <597d2cd9-d06d-4a26-823b-a1be65df1718
@k39g2000yqd.googlegroups.com>, brischt(a)web.de says...
>
> Hi,
>
> I have an issue establishing an IPSec VPN gateway-to-gateway tunnel to
> a Symantec SGS360. I have tried several hardware appliances (Netgear,
> FritzBox) but to no avail. This leads me to the question - does anyone
> know whether an SGS can only establish gateway-to-gateway tunnels to
> other Symantec products? Is it somehow "incompatible" with standard
> IPSec?
>
> More detailed information:
> I used to have another Symantec SGS 360 on my end and it worked well,
> but it got wrecked when moving so I had to replace it. As Symantec is
> not producing the SGS 360 any more, I first decided to go for a
> Netgear product behind a DSL router doing NAT; as this didn't work, I
> blamed the whole NAT thing and replaced the combo with a FritzBox
> which has a DSL modem and IPSec functionality built-in. On the
> Symantec side, the SGS is establishing the DSL connection, so there is
> no NAT taking place anywhere; however both connections have dynamic IP
> addresses and publish their IP addresses using a dynamic DNS service.
>
> I tried using both main and aggressive mode and tried different
> encryption methods, but no matter what I do, the connection is not
> established - the log of the Symantec always only shows:
>
> Mima - !!!: Verarbeitung des Ereignisses EVENT_RETRANSMIT für
> 87.154.118.14 "Mima" #0
> Mima - STATE_MAIN_I1: initiieren
> Mima - IKE-Hauptmodus wird initiiert
>
> which translates to
> Mima - !!!: Handling event EVENT_RETRANSMIT for 87.154.118.14 "Mima"
> #0
> Mima - STATE_MAIN_I1: initiate
> Mima - IKE main mode is initiated
>
> (Mima is the name of the connection, 87.154.118.14 is the dynamic IP
> address of the FritzBox at that time)
>
> I am a half-guessing when it comes to the configuration file of the
> FritzBox. It is actually a text file and is uploaded to the FritzBox
> as a whole. Here's the content:
> /*
> * C:\Users\mycfg.cfg
> * Mon Jun 07 19:00:18 2010
> */
>
> vpncfg {
> connections {
> enabled = yes;
> conn_type = conntype_lan;
> name = "mysymantec.sytes.net";
> always_renew = no;
> reject_not_encrypted = no;
> dont_filter_netbios = yes;
> localip = 0.0.0.0;
> local_virtualip = 0.0.0.0;
> remoteip = 0.0.0.0;
> remote_virtualip = 0.0.0.0;
> remotehostname = "mysymantec.sytes.net";
> localid {
> key_id = "MyFritzBoxID";
> }
> remoteid {
> key_id = "MySymantecID";
> }
> mode = phase1_mode_idp;
> phase1ss = "alt/aes/sha";
> keytype = connkeytype_pre_shared;
> key = "VerySecretSharedKey";
> cert_do_server_auth = no;
> use_nat_t = yes;
> use_xauth = no;
> use_cfgmode = no;
> phase2localid {
> ipnet {
> ipaddr = 10.0.1.0;
> mask = 255.255.255.0;
> }
> }
> phase2remoteid {
> ipnet {
> ipaddr = 10.0.0.0;
> mask = 255.255.255.0;
> }
> }
> phase2ss = "esp-aes-sha/ah-none/comp-all/pfs";
> accesslist = "permit ip any 10.0.0.0 255.255.255.0";
> }
> ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
> "udp 0.0.0.0:4500 0.0.0.0:4500";
> }
>
>
> // EOF
>
>
> On the Symantec box, the settings correspond as far as I can see:
> VPN preset:
> Encryption method: ESP AES SHA1
> Lifetime: 480
> Max. amount of data: 2100000
> Timeout when inactive: 0
> PFS:1
> DH group: Active
>
>
> VPN tunnel configuration:
> Preset as above
> Main mode
> Local gateway:
> ID type: Unique name (DN)
> ID: MySymantecID
> NetBIOS Broadcast: Activated
> Global tunnel: Deactivated
> Remote gateway:
> Gateway address: myfritz.dyndns.org
> ID type: Unique name (DN)
> ID: MyFritzBoxID
> Shared Key: VerySecretSharedKey
> Remote subnet ID: 10.0.1.0 Mask: 255.255.255.0
>
>
> The Symantec only allows IP address or Unique name (DN) as ID type, no
> FQDN or User_FQDN. However, the Symantec also allows to configure a
> "static tunnel" which as far as I have read does not do the whole IKE
> key exchange; but I am unsure how I could possibly configure that in
> the FritzBox configuration file.
>
> I'm really thankful for any hints on how to get this running...
> cheers!
>
> Roland

You won't be able to do a VPN using appliances behind a NAT router...

The VPN appliance needs to be the first device.

Most NAT routers, if you're talking home devices, have crappy
implementations.

I've used the Symantec units to connect to WatchGuard and other devices,
it's just a matter of getting the phases right.

--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself.
spam999free(a)rrohio.com (remove 999 for proper email address)
 | 
Pages: 1
Prev: High Speed / Firewall
Next: TIVO TCP scan