Configuration of a Symantec Enterprise Firewall/VPN client tunnel when the firewall/VPN server is subjected to external NAT

Article:TECH80190  |  Created: 2002-01-20  |  Updated: 2009-01-23  |  Article URL http://www.symantec.com/docs/TECH80190
Article Type
Technical Solution


Environment

Issue



You have a Symantec Enterprise Firewall/VPN server behind a device (router or load balancing device) that is performing NAT (Network Address Translation) to the firewall. That is, the publicly accessible IP address is used to redirect packets to the firewall's "external" network card address, which may be an internal, private address.

Attempting to connect a tunnel from a VPN client using the public address fails. You need to know how to configure the firewall and client to allow the connection.

You may also see an error: "IKMP_ERROR err=(-3360) Shared key file or entry for this peer does not exist" in the firewall/VPN server logs. See KB article Error: "IKMP_ERROR err=(-3360) Shared key file or entry for this peer does not exist" at http://service1.symantec.com/support/ent-gate.nsf/docid/2001120413034054 for additional information.

Symptoms
Configuration of a Symantec Enterprise Firewall/VPN client tunnel when the firewall/VPN server is subjected to external NAT You have a Symantec Enterprise Firewall/VPN server behind a device (router or load balancing device) that is performing NAT (Network Address Translation) to the firewall. That is, the publicly accessible IP address is used to redirect packets to the firewall's "external" network card address, which may be an internal, private address. Attempting to connect a tunnel from a VPN client using the public address fails. You need to know how to configure the firewall and client to allow the connection. You may also see an error: "IKMP_ERROR err=(-3360) Shared key file or entry for this peer does not exist" in the firewall/VPN server logs. See KB article Error: "IKMP_ERROR err=(-3360) Shared key file or entry for this peer does not exist" at http://service1.symantec.com/support/ent-gate.nsf/docid/2001120413034054 for additional information.



Solution



The firewall/VPN server is expecting the tunnel endpoint to be one of its own IP addresses. Therefore, although packets to the public IP address may be routed to the firewall's network card, VPN tunnels are, by default, defined by IP addresses as tunnel endpoints. Since the public IP address is what the firewall examines as part of the Phase1 negotiation, and the public IP is not defined as an IP address on the firewall itself, VPN tunnel connections will fail.

This can be resolved by using a Phase1 ID on the Security Gateway entity as defined on the firewall/VPN server, and coordinating that Phase1 ID entry with the corresponding Security Gateway configuration on the VPN client. This provides the firewall with additional information so it may complete the Phase1 tunnel negotiation process.

On the VPN server, the administrator of the server must add a Phase 1 ID to the Security Gateway entity that the RaptorMobile/SEVPN client is connecting to:

To add a Phase 1 ID to the Security Gateway entity:
  1. Open the RMC.
  2. Go to Base Components >Network Entities.
  3. Find the Security Gateway that is associated with the client's tunnel configuration.
  4. Add a Phase 1 ID (for example, "phase1idtest" without the quotes and is case sensitive).
  5. Save and reconfigure the change.

On the RaptorMobile/SEVPN Client, you must modify the gateway properties to reflect the Phase 1 ID change on the VPN server.

To modify the gateway properties:
  1. Open RaptorMobile/SEVPN client, select the configured gateway, and click Properties.
  2. On the Advanced tab, in the Gateway ID field, enter the string that was previously entered for the Phase 1 ID of the Security Gateway on the VPN server (for example, "phase1idtest" without the quotes). The VPN Server administrator will need to supply this string to you if you are not the VPN Server administrator.
  3. Click OK and retest the client connectivity.






Legacy ID



2002082009315654


Article URL http://www.symantec.com/docs/TECH80190


Terms of use for this information are found in Legal Notices