Secureclient fails to connect

[genlee]

I am trying to get secure client to connect an ng fp3 firewall. I have all the rules setup but secureclient always returns the error &quot;failed to connect to site <blah>&quot;. So I ran snoop on the firewall and tried to reinitiate the connection and this is what I found:

ICMP Destination unreachable (UDP port 500 unreachable)

In the logs, I can see the IKE key exchange is accepted. Anyone know what would cause port 500 to be unavailable on the firewall?

 

[brycec]

What sort of firewall do you have?

If its a nokia IP 650 with more than 12 interfaces then you will have a problem. Unpatched, the firewall doesn't run the VPN daemon. From a command prompt on your firewall, perform a ps -ax command. If vpnd is not an active, running service, then this is the problem. It may also be an idea to run netstat -a to ensure the firewall is listening on port 500.
If this is the case, then there is a download available on Nokia's website, but you will need a valid login to get it.
(It is a known bug to do with IPSO).

Other things to look for:

Do you have implied rules switched off? If you do, you will have to explicitly create a rule allowing IKE, VPN1_IPSEC_encryption and FW1_Topo from the network on which your client sits, to the external interface of the firewall.

Does the network on which your client sits know how to get to the firewall?

 

[genlee]

I have checkpoint running on a sun ultrasparc. I checked and vpnd was not running so I stopped/started the firewall then tailed vpnd.elg and found this error in it:
SAdeleteAll: failed to stat tab IKE_SA_table.
vpnd_cmain: Failed to Initiatlize resolver.

I searched through secureknowlege but wasn't able to find anything helpful. Also I do have implied rules off and have a rule setup for the ike key exchange. Currently the test firewall and the client are on the same network.