Re: Help with Windows VPN setup and Astaro firewall

From: Wolfgang Kueter (wolfgang_at_shconnect.de)
Date: 05/02/04

Next message: Ondrej Vlcek: "Re: kitty.avast.com scanning my ports and internal process trying to access their ip"

Previous message: Zarggg: "Re: HACKERS SECRET WEAPONS:"
In reply to: arabub: "Re: Help with Windows VPN setup and Astaro firewall"
Next in thread: arabub: "Re: Help with Windows VPN setup and Astaro firewall"
Reply: arabub: "Re: Help with Windows VPN setup and Astaro firewall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 02 May 2004 23:21:37 +0200

arabub wrote:

> My guess is that the "malformed message" errors refer to the fact that
> the package checksums are being made invalid by the NATting of my
> local firewall.

Your guess is right. NAT destroys IPSec.

> However, the exact same firewall does not cause any problems for my
> VPN connections to a different remote firewall! So I doubt that it's
> my local firewall.
>
> Summary:
>
> Connection from Connection to Result
> ------------------------------------------------------------------------
> Local Win2k workstation Remote firewall 1 (pix) Success

Due to cisco workarounds.

> Local Win2k workstation remote firewall 2 (Astaro) "malformed
> message"

Normal behaivior according to the IPSec specification.

> I am using a Cisco VPN client on the Win2k workstation, and I verified
> that the VPN client's configuration files for both VPNs are identical,
> with the exception of the remote gateway and the user authentication
> information.
>
> From this I conclude that the problem must be with my Astaro
> firewall's IPSec configuration.

No, pixes just offer some IMHO rather dirty workarounds for the problem.

> However, I tried many combinations of
> settings on the Astaro firewall, but have not found a working
> configuration.
> Any further ideas?

Yes, as always simply stick to the golden rule: "Terminate the VPN on the
gateway, never on a client behind it!"

Wolfgang

-- 
A foreign body and a foreign mind
never welcome in the land of the blind.
from 'Not one of us', (c) 1980 Peter Gabriel

Next message: Ondrej Vlcek: "Re: kitty.avast.com scanning my ports and internal process trying to access their ip"

Previous message: Zarggg: "Re: HACKERS SECRET WEAPONS:"
In reply to: arabub: "Re: Help with Windows VPN setup and Astaro firewall"
Next in thread: arabub: "Re: Help with Windows VPN setup and Astaro firewall"
Reply: arabub: "Re: Help with Windows VPN setup and Astaro firewall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: DFL-300 IPSEC VPNs only works if your remote client is open wide open on the internet! Sucks!
... > Are you trying to make a VPN connection somewhere? ... My PC is sitting on a 10/8 network behind a Checkpoint MG firewall I ... I allow IPSEC passthrough and I allow UDP virtual connectivity. ...
(comp.security.firewalls)
Re: Calling all Experts!!
... I would strongly recommend building a IPSec VPN tunnel from one ... end to the other and forget the Nortel solution. ... > 1 Should VPN switch sit beside firewall or sit outside firewall? ...
(comp.security.firewalls)
Re: cisco / microsoft -- what is the VPN IPsec alternative????
... I like Gnatbox firewall. ... about 2 years ago and they had just released the IPSec VPN verison. ...
(comp.security.misc)
Re: Security of a Windows 2003 VPN Question
... I was thinking of using IPSec to block access to the box. ... Do you really need IPSec between VPN server and DC? ... Ok, what about the integrity of the box, since there's no firewall on it? ...
(microsoft.public.windows.server.security)
Re: Help with Windows VPN setup and Astaro firewall
... the exact same firewall does not cause any problems for my ... > VPN connections to a different remote firewall! ... > that the VPN client's configuration files for both VPNs are identical, ... > firewall's IPSec configuration. ...
(comp.security.firewalls)