Solved

Trying to pass IPSec packets inbound through a Symantec Gateway Security 360 device

Posted on 2008-10-24
3
399 Views
Last Modified: 2012-08-13
I'm stumped on a firewall configuration.

The current network I'm working on uses a Symantec Security Gateway 360 for Internet protection and access. They have a Microsoft VPN server (Windows Server 2K3 Standard) located behind this device succesfully receiving and responding to PPTP requests for connections. I want to 'upgrade' this connection to start receiving IPSec traffic.

I've placed the VPN server on the Internet for short times to test the IPSec VPN connection. MS clients do connect to the server via IPSec when the server is directly on the Internet. However, management has stated all servers be covered behind the firewall device. (I know we can use the MS filters and such on the VPN application to keep the Internet at bay, but I have a few rules to follow here ;)

It seems like the SGS device is blocking protocols 50 (ESP) and 51 (AH) from passing packets inbound through this device to the MSVPN server. I see where I can open TCP and UDP ports, but not full protocols on the SGS device. (GRE is working via an expressed PPTP pasthru switch. No such switch for IPSec - that I have found so far.)

Anyone out there with experience on the SGS360? The user documentation and symantec help line have been weak at best.

Thanks!
0
Comment
Question by:tmzagar
  • 2
3 Comments
 
LVL 13

Expert Comment

by:Quori
ID: 22806450
Do you have UDP 500 open? Also may need 4500/tcp and 4500/udp (IPSec NAT traversal).
0
 

Author Comment

by:tmzagar
ID: 22811802
More info and andswer to above:
The following 'VPN' ports are open:
(Remember that I'm trying to use a MS client over L2TP. Currently use PPTP.)
TCP/1723
TCP/1701
UDP/500
UDP/4500

As stated I have connected to this server via L2TP/IPSec when outside firewall. I wiresharked that connection. I also wiresharked the connection that didn't work. It kinna looks like all negotiations are working until the connection tries to "handoff" to protocol ESP. (just my humble opinion.)
0
 

Accepted Solution

by:
tmzagar earned 0 total points
ID: 23085639
Since the SGS seems to be going to an end of life and we are in need of the IPSec connection for its inherent security, I convinced the management to 'expose' one nic on the RRAS server to the DMZ. We applied filters to this interface to keep out all the undesired packets and poof! we now have an IPSec VPN connection endpoint. Clients are now enjoying VPN over IPSec.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now