Configuring IPSEC passthrough (outbound client VPN connections) on a Symantec Gateway Security appliance
| Article:TECH84537 | | | Created: 2006-01-30 | | | Updated: 2012-03-27 | | | Article URL http://www.symantec.com/docs/TECH84537 |
Problem
You have a Symantec Gateway Security 1600 Series appliance in your network. You need instructions to configure your to allow outbound IPSEC traffic to pass through to an external IPSEC VPN endpoint.
Solution
To configure the appliance to allow IPSEC traffic to pass through, you need the following information:
Public-ip-low = First address of dedicated public IP range
Public-ip-high = Last address of dedicated public IP range
Vpn-server-ip = External VPN Server
Note: The following configuration is for IPSEC client traffic with NO UDP encapsulation – If you are using UDP encapsulation, skip to the section: With UDP Encapsulation on port n:
Create the following network entity: (Assets > Network > Network Entities > New Network Entity)
Type = Host
Name = host-vpnserver-external
IP address = vpn-server-ip
Create the following Service Group: (Assets > Protocols > Service Groups > New Service Group)
Name = OutboundVPN
Protocols = ISAKMP, ESP
Create the following Rule: (Policy > Firewall > Rules > New Rule)
Name = VPN-Outbound
Entering = Inside
Source = Universe
Destination = Universe
Leaving = Outside
Service Group = OutboundVPN
Create the following NAT Pool (Assets > Network > NAT Pools > New NAT Pool)
Name = VPN-NAT
Type = Dynamic
Start IP Address = public-ip-low
End IP Address = public-ip-high
Create the following Address Transforms (Assets > Network > Address Transforms > New Address Transform)
Name = VPN-Inbound
Entering = Outside
Source = host-vpnserver-external
Destination = Universe
Leaving = Inside
Transform = Use Original Address
Name = VPN-Outbound
Entering = Inside
Source = Universe
Destination = host-vpnserver-external
Leaving = Outside
Transform = VPN-NAT
With UDP encapsulation on Port x:
Create the following Protocols: (Assets > Protocols > Protocol > New Protocol)
Type = UDP
Name = vpn-encap
Destination Single Port = x
Source Port Range = 1024-65535
Use GSP = yes
Create the following Service Group: (Assets > Protocols > Service Groups > New Service Group)
Name = Outbound-VPN
Protocols = vpn-encap (udp-encap for Symantec Client VPN), ISAKMP
Create the following Rule: (Policy > Firewall > Rules > New Rule)
Name = VPN-Outbound
Entering = Inside
Source = Universe
Destination = Universe
Leaving = Outside
Service Group = OutboundVPN
|
|
Legacy ID
2006053010123554
Article URL http://www.symantec.com/docs/TECH84537
Terms of use for this information are found in Legal Notices
Thank you.