Routers Known (Not) To Work With Secure Client

[roadrunner]

Routers known (not) to work with Secure Client
LinkSys routers can pass SecuRemote connections provided the following is true:


Firewall should be at version 4.1 SP3 or above.
Firewall and users are both defined to use IKE (not FWZ) with 3DES encryption and SHA1 authentication (MD5 doesn't work).
Secure Client is configured to use IKE as it's default encryption scheme. UDP Encapsulation is highly recommended, but not required.
Linksys router has firmware version 1.39 or above and one of the following enabled (not all options work in all situations):
Enable the DMZ feature for the host doing SecuRemote
Enable port forwarding for port 500 to the PC doing the VPN
Enable port triggering on port 500 (no need to specify which machine)
Enable SPI (Stateful Packet Inspection) mode
Enable IPSec Passthru
See also the FAQ: Secure Client and NAT



--------------------------------------------------------------------------------

To make the NETGEAR FM114P firewall router work with securemote or secureclient you'll have to make to following changes:

First setup your securemote/client to "force UDP encapsulation" (Tools > Advanced IKE settings > check force UDP encapsulation) Don't forget to restart the client!

Next, go to your router web interface, normally http://192.168.0.1 Go to "Services" (left side)

Click on "Add custom services" Name: IPSEC500 Type: UDP Start Port: 500 Finish Port: 500 click apply

Click on "Add custom services" Name: IPSEC2746 Type: UDP Start Port: 2746 Finish Port: 2746 click apply

Goto to "Rules" (left side)

On the "inbound service" section, click ADD Service: IPSEC500(UDP:500) Action: ALLOW always Send to LAN Server: the IP of your computer using the client click apply

On the "inbound service" section, click ADD Service: IPSEC2746(UDP:2746) Action: ALLOW always Send to LAN Server: the IP of your computer using the client click apply

This should do the trick. To make things more secure you could also define the IP range your company uses. (WAN users)



--------------------------------------------------------------------------------

I have personally had no problems with Nexland routers. However, to support two or more clients going to same firewall in NG, you will need to make a change to the firewall configuration.

To change the VPN-1/FireWall-1 NG behavior to that of VPN-1/FireWall-1 4.1, proceed as follows:

On the Management Server


Use the dbedit utility to set the udp_encapsulation_by_qm_id property to false, as shown below (in the following example the VPN-1/FireWall-1 administrator name is "fwadmin"):

dbedit> modify properties firewall_properties udp_encapsulation_by_qm_id false
dbedit> update properties firewall_properties

Open the Policy Editor, click Yes when asked to update your topology data due to inconsistencies.

Install the security policy


--------------------------------------------------------------------------------
A phoneboy.com reader writes:
"The IPSec implementation in the Netgear MR 814 won't work with ecuRemote FP3 (or others, I expect). I got Outlook 2000 to work talking to an Exchange 2000 server, but double-clicking on 'My Computer' to see mapped drives hung the computer indefinitely. Switching back to my trusty Nexland ISB 400 worked just fine. Had the same results on 2 different computers attached to this Netgear. I tried it again to make sure of what I was seeing. With older (bad) versions of SecuRemote (like 4176) I have experienced shared drives working, but Outlook hanging."

-- PhoneBoy - 11 Feb 2004


--------------------------------------------------------------------------------

D-Link 802.11b/g Routers
DI-614+ - works if you enable IPSEC Passthru and upgrade the firmware

DSL-604+ - works if you enable IPSEC Passthru and upgrade the firmware

DSL-G604T - works if you enable IPSEC Passthru

go to ftp://ftp.dlink.com for the firmware upgrades.


Comment on Netgear Routers
Comment from Daniel Chee: Just wanted to let you know that your site is very helpful in getting my SecureClient? to work. I also wanted to let you know that the Netgear WGR614 v3 that I had did not work with SecureClient?. It is supposed to have IPSec passthru enabled by default and I cannot find any setting in the management console to force it to enable/disable. Port forwarding all the necessary ports and it still wouldn't work right. The client will connect for about 5 minutes and then disconnect immediately. Netgear support was useless, simply telling me to port forward and then never reply to my follow up question.

I replaced the Netgear with a Linksys WRT54G and it has been flawless since.










FAQForm
FAQs.Class: SecureClientFAQs
FAQs.OS:
FAQs.Version:

[Mark Prybylski]

We recently switched from a wired Linksys connection to a wireless-G connection using a WRT54GA (firmware v2.07.01) router. Everything works except the ChechPoint VPN-1 Secureclient. We get the message "Gateway Not Responding", "Connection Failed". We have DSL using PPPOE. I've set up port forwarding for port 500 to TCP and UDP, port 264 to TCP, and port 2764 to TCP and UDP. I also allowed DMZ access to the IP address of the workstation using the SecureClient. IPSec is enabled.
The firewall is disabled at this point but it didn't seem to matter - couldn't connect either way...
Any help would be great. I'd like to stay wireless.

Mark

[klh05]

I have 2 remote users with the same problem, both with the linksys wireless g router.

Have enabled port forwarding on TCP 264, 50, 51, 500, 3389 (for rdp) and UDP 500, 2746

Also set host up in DMZ

Client can authenticate with firewall but gets no further, so does seem to be a NAT issue. Have many other remote users connecting successfully using different routers.

Any further ideas to try or is it time we tried a different wireless router?

Thanks
Kat

[czech12]

Try to play with the settings within SecureClient. NAT issues are usually resolved by using IKE over TCP and Forcing UDP Encapsulation.

To get to this screen with the NGX R60 SecureClient, right click on the status tray icon > Settings, higlight your profile and click Properties, then click on the Advanced Tab.

[JTJtJt]

Quote:

Originally Posted by czech12

Try to play with the settings within SecureClient. NAT issues are usually resolved by using IKE over TCP and Forcing UDP Encapsulation.

To get to this screen with the NGX R60 SecureClient, right click on the status tray icon > Settings, higlight your profile and click Properties, then click on the Advanced Tab.

Just to add my 2p, I have a laptop setup which can connect using Secure Remote to a VPN gateway and the remote servers beyond that. This is using a DIAL-UP MODEM to connect to the internet.

However, if I connect the laptop to a NETGEAR DG834G (wirelessly), it doesnt work.
I still get the "User .... authenticated by Firewall-1 authentication", but cannot ping or RDP my remote machine. Tracert shows the packets getting to the VPN Gateway but no further.
I have no firewall port restrictions on the router. I have tried port forwarding ALL UDP/TCP ports to my laptop.
I am using IKE over TCP and Forcing UDP Encapsulation.

Any pointers?

[4lex_]

I'm using a Dynalink RTA1025W and have the same problem as the previous poster. I'm using most recent firmware 3.02.02.02, DMZ forwarded, TCP 256 and UDP 259/50/51/500 forwarded.

I too can tracert to the firewall, my colleague who admins the firewall can see me hiting it and supposedly being allowed access. The problem in this case seems to be that I'm not being allocated an IP address once authenticated.

Any suggestions very welcome!

Cheers,
Alex

[JoleyBear]

I have Verizon DSL and connect to a VPN using CheckPoint Secure Client. I tried using the Westell Versalink modem provided by Verizon but could not connect to the VPN. I then switch to the Westell 6100 (not wireless) and was able to connect. I wanted to be wireless so I tried a DLink WBR-2310 but could not connect - when I attempted to connect just timed out and failed. I have read some posts where the client could connect but couldn't access any apps, my situation was that I could not even connect to the VPN gateway.
Then I bought a Linksys WRT54Gs because Verizon said they support Linksys. I was on the phone with both Verizon and Linksys tech support and they could not help me configure the router to connect. I tried port forwarding on the ports used by the Host but no dice. I disabled the router firewall, etc etc......
Then I decided to try DLink again because in the past I could connect to the VPN with my old DI-614+ router - but that only supports 802.11b wireless connectivity AND I gave it to a friend so I couldn't exactly ask for it back.
I bought the DLink DI-524 because it was identified on the DLink website as the replacement for the DI-614+. I hooked it up, used the wizard to configure and had absolutely no problem connecting to my VPN.
I hope this helps others who are having a similar issue.

[RayPesek]

Authentication but no traffic is almost always a problem with the MTU. PPPoE (used by many DSL providers) adds eight bytes to the packet size and breaks things. Reduce the MTU and try it.

If you have SecureClient, enable Visitor Mode and use it instead. It sneaks through virtually every lousy router we have encountered.

Ray

[tmutchler]

Anyone else having trouble with the Linksys WCG200 all-in-one cable modem/router? VPN consistently connects fine, then fails to pass traffic reliably. RCN Cable is being a PITA about replacing the box with a basic cable modem, sans router.