[Vpn-help] VPN Client with Symantec SGS 420
Matthew Grooms
mgrooms at shrew.net
Sat Feb 17 16:01:26 CST 2007
rscheffer at gmx.net wrote:
> Matthews,
>
> first of all, I would like to thank that you are willing to help.
>
No problem. I am very eager to help anyone who is testing client
interoperability with different gateway platforms.
> My SGS420 is configured in the following way:
I took a look at the Symantec Gateway 400 manual and found this ...
Understanding Client-to-Gateway VPN tunnels
Symantec Gateway Security 400 Series models 460 and 460R support
client-to-gateway VPN tunnel configurations. A client-to-gateway
configuration is created when a workstation, running Symantec Client VPN
software, connects to the security gateway from either inside the
protected network or from a remote location through the Internet. This
minimizes costs associated with modem pools and costly 800 dial-up
charges, as clients can use ISPs with local dial-up numbers to
transparently connect to the security gateway.
... Are you sure your model of gateway supports client connectivity? It
only says its possible for the 460 and 460R.
>
> I am not quit sure, what I have to insert into "Local and Remote identity".
>
I'm not quite sure either but we can easily find out. The gateway is
rejecting the phase1 id for some reason. I'm not sure what format or
value the gateway is expecting. The documentation states that the
Symantec client always uses aggressive mode for phase1 so it shouldn't
be that hard to figure this out.
In aggressive mode, the first packet is unencrypted and contains the
initiators id. All you have to do is setup the Symantec client to point
to a box that is running tcpdump or wireshark and capture the UDP port
500 traffic. Of course, the client connection will fail but we only care
about seeing the first packet. By examining this, we should be able to
tell all the phase1 parameters and what id is used. Feel free to forward
me the pcap file and I will take a look at it for you.
Thanks,
-Matthew
More information about the vpn-help
mailing list