First off, you will need to use encapsulation when setting up your encryption domain. This appears to be the only way to get the NBT stuff to tunnel properly. Yes, it will even work if you are using translation! In my case, I already had a network object defined for my RFC 1918 internal network. All I did was set up the encryption, specifying my existing
local-net object as my encryption domain.
OK, question time now. I could only get this to work using FWZ encryption method. I tried to setup SKIP, but it wouldn't happen. What's the real implication of using FWZ/Maual IPSEC/SKIP here? You can still define DES
data encryption when you set up your users. Which of the above is the better method to choose?
Now that you have the domain set up, start creating your user, and add them to a group. Now you can create a rule to allow that group access to your encryption domain. I my case -SR-Users/Local-Net/ANY/Client Encrypt-.
Now comes the fun part. Installing and configuring the client. The thing to remember here is you NEED some sort of netbios name resolution. There are 2 ways this can be done. 1-create an lmhosts file specifying every device on the internal net you need access to. This is the ugly and painful method. Though I made it work ,never could get a clean logon. Even though I got a good logon to the NT domain, I still got error messages about not being able to find a domain controller?? If you have WINS set up, USE IT!!! If you don't, SET IT UP!! Enter the internal address of
your WINS server in your network properties of the client workstation. Not the properties of the dial-up connected!!!
If you also have this client networked via a NIC, you will also have to implement hardware profiles. Make 2 profiles, on for dial-up, and the other for in the office. Disable the NIC for the dial-up profile. Now you can install the SecuRemote client. Reboot, dial up your isp, and you should be able to create your site within the client.
You should now have a fully functional SecuRemote VPN set up. Dial up your isp, and you will be auto magically prompted to authenticate yourself on the firewall. While your trying to type that id and password in, your NT logon
will popup. Remember to finish the SecuRemote Authentication before you enter your NT logon :>
local-net object as my encryption domain.
OK, question time now. I could only get this to work using FWZ encryption method. I tried to setup SKIP, but it wouldn't happen. What's the real implication of using FWZ/Maual IPSEC/SKIP here? You can still define DES
data encryption when you set up your users. Which of the above is the better method to choose?
Now that you have the domain set up, start creating your user, and add them to a group. Now you can create a rule to allow that group access to your encryption domain. I my case -SR-Users/Local-Net/ANY/Client Encrypt-.
Now comes the fun part. Installing and configuring the client. The thing to remember here is you NEED some sort of netbios name resolution. There are 2 ways this can be done. 1-create an lmhosts file specifying every device on the internal net you need access to. This is the ugly and painful method. Though I made it work ,never could get a clean logon. Even though I got a good logon to the NT domain, I still got error messages about not being able to find a domain controller?? If you have WINS set up, USE IT!!! If you don't, SET IT UP!! Enter the internal address of
your WINS server in your network properties of the client workstation. Not the properties of the dial-up connected!!!
If you also have this client networked via a NIC, you will also have to implement hardware profiles. Make 2 profiles, on for dial-up, and the other for in the office. Disable the NIC for the dial-up profile. Now you can install the SecuRemote client. Reboot, dial up your isp, and you should be able to create your site within the client.
You should now have a fully functional SecuRemote VPN set up. Dial up your isp, and you will be auto magically prompted to authenticate yourself on the firewall. While your trying to type that id and password in, your NT logon
will popup. Remember to finish the SecuRemote Authentication before you enter your NT logon :>
No comments:
Post a Comment