[Vpn-help] VPN Client with Symantec SGS 420

[Matthew Grooms]

rscheffer at gmx.net wrote:
> Matthews,
> 
> first of all, I would like to thank that you are willing to help.
> 

No problem. I am very eager to help anyone who is testing client 
interoperability with different gateway platforms.

> My SGS420 is configured in the following way:

I took a look at the Symantec Gateway 400 manual and found this ...

Understanding Client-to-Gateway VPN tunnels

Symantec Gateway Security 400 Series models 460 and 460R support 
client-to-gateway VPN tunnel configurations. A client-to-gateway 
configuration is created when a workstation, running Symantec Client VPN 
software, connects to the security gateway from either inside the 
protected network or from a remote location through the Internet. This 
minimizes costs associated with modem pools and costly 800 dial-up 
charges, as clients can use ISPs with local dial-up numbers to 
transparently connect to the security gateway.

... Are you sure your model of gateway supports client connectivity? It 
only says its possible for the 460 and 460R.

> 
> I am not quit sure, what I have to insert into "Local and Remote identity".
> 

I'm not quite sure either but we can easily find out. The gateway is 
rejecting the phase1 id for some reason. I'm not sure what format or 
value the gateway is expecting. The documentation states that the 
Symantec client always uses aggressive mode for phase1 so it shouldn't 
be that hard to figure this out.

In aggressive mode, the first packet is unencrypted and contains the 
initiators id. All you have to do is setup the Symantec client to point 
to a box that is running tcpdump or wireshark and capture the UDP port 
500 traffic. Of course, the client connection will fail but we only care 
about seeing the first packet. By examining this, we should be able to 
tell all the phase1 parameters and what id is used. Feel free to forward 
me the pcap file and I will take a look at it for you.

Thanks,

-Matthew