Results 1 to 4 of 4

Thread: VPN connection between FritzBox and Symantec SGS 360

  1. #1
    Roland Dick
    Guest

    VPN connection between FritzBox and Symantec SGS 360

    Hi,

    I have an issue establishing an IPSec VPN gateway-to-gateway tunnel to
    a Symantec SGS360. I have tried several hardware appliances (Netgear,
    FritzBox) but to no avail. This leads me to the question - does anyone
    know whether an SGS can only establish gateway-to-gateway tunnels to
    other Symantec products? Is it somehow "incompatible" with standard
    IPSec?

    More detailed information:
    I used to have another Symantec SGS 360 on my end and it worked well,
    but it got wrecked when moving so I had to replace it. As Symantec is
    not producing the SGS 360 any more, I first decided to go for a
    Netgear product behind a DSL router doing NAT; as this didn't work, I
    blamed the whole NAT thing and replaced the combo with a FritzBox
    which has a DSL modem and IPSec functionality built-in. On the
    Symantec side, the SGS is establishing the DSL connection, so there is
    no NAT taking place anywhere; however both connections have dynamic IP
    addresses and publish their IP addresses using a dynamic DNS service.

    I tried using both main and aggressive mode and tried different
    encryption methods, but no matter what I do, the connection is not
    established - the log of the Symantec always only shows:

    Mima - !!!: Verarbeitung des Ereignisses EVENT_RETRANSMIT für
    87.154.118.14 "Mima" #0
    Mima - STATE_MAIN_I1: initiieren
    Mima - IKE-Hauptmodus wird initiiert

    which translates to
    Mima - !!!: Handling event EVENT_RETRANSMIT for 87.154.118.14 "Mima"
    #0
    Mima - STATE_MAIN_I1: initiate
    Mima - IKE main mode is initiated

    (Mima is the name of the connection, 87.154.118.14 is the dynamic IP
    address of the FritzBox at that time)

    I am a half-guessing when it comes to the configuration file of the
    FritzBox. It is actually a text file and is uploaded to the FritzBox
    as a whole. Here's the content:
    /*
    * C:\Users\mycfg.cfg
    * Mon Jun 07 19:00:18 2010
    */

    vpncfg {
    connections {
    enabled = yes;
    conn_type = conntype_lan;
    name = "mysymantec.sytes.net";
    always_renew = no;
    reject_not_encrypted = no;
    dont_filter_netbios = yes;
    localip = 0.0.0.0;
    local_virtualip = 0.0.0.0;
    remoteip = 0.0.0.0;
    remote_virtualip = 0.0.0.0;
    remotehostname = "mysymantec.sytes.net";
    localid {
    key_id = "MyFritzBoxID";
    }
    remoteid {
    key_id = "MySymantecID";
    }
    mode = phase1_mode_idp;
    phase1ss = "alt/aes/sha";
    keytype = connkeytype_pre_shared;
    key = "VerySecretSharedKey";
    cert_do_server_auth = no;
    use_nat_t = yes;
    use_xauth = no;
    use_cfgmode = no;
    phase2localid {
    ipnet {
    ipaddr = 10.0.1.0;
    mask = 255.255.255.0;
    }
    }
    phase2remoteid {
    ipnet {
    ipaddr = 10.0.0.0;
    mask = 255.255.255.0;
    }
    }
    phase2ss = "esp-aes-sha/ah-none/comp-all/pfs";
    accesslist = "permit ip any 10.0.0.0 255.255.255.0";
    }
    ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
    "udp 0.0.0.0:4500 0.0.0.0:4500";
    }


    // EOF


    On the Symantec box, the settings correspond as far as I can see:
    VPN preset:
    Encryption method: ESP AES SHA1
    Lifetime: 480
    Max. amount of data: 2100000
    Timeout when inactive: 0
    PFS:1
    DH group: Active


    VPN tunnel configuration:
    Preset as above
    Main mode
    Local gateway:
    ID type: Unique name (DN)
    ID: MySymantecID
    NetBIOS Broadcast: Activated
    Global tunnel: Deactivated
    Remote gateway:
    Gateway address: myfritz.dyndns.org
    ID type: Unique name (DN)
    ID: MyFritzBoxID
    Shared Key: VerySecretSharedKey
    Remote subnet ID: 10.0.1.0 Mask: 255.255.255.0


    The Symantec only allows IP address or Unique name (DN) as ID type, no
    FQDN or User_FQDN. However, the Symantec also allows to configure a
    "static tunnel" which as far as I have read does not do the whole IKE
    key exchange; but I am unsure how I could possibly configure that in
    the FritzBox configuration file.

    I'm really thankful for any hints on how to get this running...
    cheers!

    Roland


  2. #2
    Leythos
    Guest

    Re: VPN connection between FritzBox and Symantec SGS 360

    In article <597d2cd9-d06d-4a26-823b-a1be65df1718
    @k39g2000yqd.googlegroups.com>, brischt@web.de says...
    >
    > Hi,
    >
    > I have an issue establishing an IPSec VPN gateway-to-gateway tunnel to
    > a Symantec SGS360. I have tried several hardware appliances (Netgear,
    > FritzBox) but to no avail. This leads me to the question - does anyone
    > know whether an SGS can only establish gateway-to-gateway tunnels to
    > other Symantec products? Is it somehow "incompatible" with standard
    > IPSec?
    >
    > More detailed information:
    > I used to have another Symantec SGS 360 on my end and it worked well,
    > but it got wrecked when moving so I had to replace it. As Symantec is
    > not producing the SGS 360 any more, I first decided to go for a
    > Netgear product behind a DSL router doing NAT; as this didn't work, I
    > blamed the whole NAT thing and replaced the combo with a FritzBox
    > which has a DSL modem and IPSec functionality built-in. On the
    > Symantec side, the SGS is establishing the DSL connection, so there is
    > no NAT taking place anywhere; however both connections have dynamic IP
    > addresses and publish their IP addresses using a dynamic DNS service.
    >
    > I tried using both main and aggressive mode and tried different
    > encryption methods, but no matter what I do, the connection is not
    > established - the log of the Symantec always only shows:
    >
    > Mima - !!!: Verarbeitung des Ereignisses EVENT_RETRANSMIT für
    > 87.154.118.14 "Mima" #0
    > Mima - STATE_MAIN_I1: initiieren
    > Mima - IKE-Hauptmodus wird initiiert
    >
    > which translates to
    > Mima - !!!: Handling event EVENT_RETRANSMIT for 87.154.118.14 "Mima"
    > #0
    > Mima - STATE_MAIN_I1: initiate
    > Mima - IKE main mode is initiated
    >
    > (Mima is the name of the connection, 87.154.118.14 is the dynamic IP
    > address of the FritzBox at that time)
    >
    > I am a half-guessing when it comes to the configuration file of the
    > FritzBox. It is actually a text file and is uploaded to the FritzBox
    > as a whole. Here's the content:
    > /*
    > * C:\Users\mycfg.cfg
    > * Mon Jun 07 19:00:18 2010
    > */
    >
    > vpncfg {
    > connections {
    > enabled = yes;
    > conn_type = conntype_lan;
    > name = "mysymantec.sytes.net";
    > always_renew = no;
    > reject_not_encrypted = no;
    > dont_filter_netbios = yes;
    > localip = 0.0.0.0;
    > local_virtualip = 0.0.0.0;
    > remoteip = 0.0.0.0;
    > remote_virtualip = 0.0.0.0;
    > remotehostname = "mysymantec.sytes.net";
    > localid {
    > key_id = "MyFritzBoxID";
    > }
    > remoteid {
    > key_id = "MySymantecID";
    > }
    > mode = phase1_mode_idp;
    > phase1ss = "alt/aes/sha";
    > keytype = connkeytype_pre_shared;
    > key = "VerySecretSharedKey";
    > cert_do_server_auth = no;
    > use_nat_t = yes;
    > use_xauth = no;
    > use_cfgmode = no;
    > phase2localid {
    > ipnet {
    > ipaddr = 10.0.1.0;
    > mask = 255.255.255.0;
    > }
    > }
    > phase2remoteid {
    > ipnet {
    > ipaddr = 10.0.0.0;
    > mask = 255.255.255.0;
    > }
    > }
    > phase2ss = "esp-aes-sha/ah-none/comp-all/pfs";
    > accesslist = "permit ip any 10.0.0.0 255.255.255.0";
    > }
    > ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
    > "udp 0.0.0.0:4500 0.0.0.0:4500";
    > }
    >
    >
    > // EOF
    >
    >
    > On the Symantec box, the settings correspond as far as I can see:
    > VPN preset:
    > Encryption method: ESP AES SHA1
    > Lifetime: 480
    > Max. amount of data: 2100000
    > Timeout when inactive: 0
    > PFS:1
    > DH group: Active
    >
    >
    > VPN tunnel configuration:
    > Preset as above
    > Main mode
    > Local gateway:
    > ID type: Unique name (DN)
    > ID: MySymantecID
    > NetBIOS Broadcast: Activated
    > Global tunnel: Deactivated
    > Remote gateway:
    > Gateway address: myfritz.dyndns.org
    > ID type: Unique name (DN)
    > ID: MyFritzBoxID
    > Shared Key: VerySecretSharedKey
    > Remote subnet ID: 10.0.1.0 Mask: 255.255.255.0
    >
    >
    > The Symantec only allows IP address or Unique name (DN) as ID type, no
    > FQDN or User_FQDN. However, the Symantec also allows to configure a
    > "static tunnel" which as far as I have read does not do the whole IKE
    > key exchange; but I am unsure how I could possibly configure that in
    > the FritzBox configuration file.
    >
    > I'm really thankful for any hints on how to get this running...
    > cheers!
    >
    > Roland


    You won't be able to do a VPN using appliances behind a NAT router...

    The VPN appliance needs to be the first device.

    Most NAT routers, if you're talking home devices, have crappy
    implementations.

    I've used the Symantec units to connect to WatchGuard and other devices,
    it's just a matter of getting the phases right.

    --
    You can't trust your best friends, your five senses, only the little
    voice inside you that most civilians don't even hear -- Listen to that.
    Trust yourself.
    spam999free@rrohio.com (remove 999 for proper email address)

  3. #3
    Roland Dick
    Guest

    Re: VPN connection between FritzBox and Symantec SGS 360

    Am 12.06.2010, 15:55 Uhr, schrieb Leythos <spam999free@rrohio.com>:


    > You won't be able to do a VPN using appliances behind a NAT router...


    Are you sure about this? I was under the impression that the aggressive
    mode works behind a NAT router. At least this used to be my setup with two
    SGS360, one of which was behind a router doing NAT (but supporting IPSec
    passthrough).

    However, in my case now, both appliances are not behind a NAT router.

    > Most NAT routers, if you're talking home devices, have crappy
    > implementations.


    Yes, unfortunately.

    > I've used the Symantec units to connect to WatchGuard and other devices,
    > it's just a matter of getting the phases right.


    That's interesting, so Symantec is not limited to establishing
    gateway-to-gateway tunnels to other Symantec boxes; did your appliances
    work with static or dynamic IP addresses? Do you remember which id type
    you used on the Symantec - IP address or DN?

    Thanks,

    Roland

  4. #4
    Leythos
    Guest

    Re: VPN connection between FritzBox and Symantec SGS 360

    In article <op.vd63vx0n6aovv1@2009m01.mshome.net>, brischt@web.de
    says...
    >
    > Am 12.06.2010, 15:55 Uhr, schrieb Leythos <spam999free@rrohio.com>:
    >
    >
    > > You won't be able to do a VPN using appliances behind a NAT router...

    >
    > Are you sure about this? I was under the impression that the aggressive
    > mode works behind a NAT router. At least this used to be my setup with two
    > SGS360, one of which was behind a router doing NAT (but supporting IPSec
    > passthrough).
    >
    > However, in my case now, both appliances are not behind a NAT router.


    IPSec pass though is a crap-shoot and sometimes the cheap NAT device
    will only support 1 or 2 tunnels from inside. It's always best to setup
    the VPN at the entry point and then limit the tunnel traffic by IP/range
    of IP's as needed with rules.

    >
    > > Most NAT routers, if you're talking home devices, have crappy
    > > implementations.

    >
    > Yes, unfortunately.
    >
    > > I've used the Symantec units to connect to WatchGuard and other devices,
    > > it's just a matter of getting the phases right.

    >
    > That's interesting, so Symantec is not limited to establishing
    > gateway-to-gateway tunnels to other Symantec boxes; did your appliances
    > work with static or dynamic IP addresses? Do you remember which id type
    > you used on the Symantec - IP address or DN?


    Never tried to VPN with Dynamic IP's, it's always a problem. We've not
    used the Symantec devices in a couple years, sorry, don't remember much
    about the details from then.




    --
    You can't trust your best friends, your five senses, only the little
    voice inside you that most civilians don't even hear -- Listen to that.
    Trust yourself.
    spam999free@rrohio.com (remove 999 for proper email address)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •