StoneBlog.stonesoft.com

How many times have you been asked to setup a VPN tunnel that requires you to have a NAT IP being presented in the tunnel. This is a common request since some of your VPNs might have same private subnets on both sides, like 192.168.0.0/24

Since the introduction of SMC 5.0, you now need to define both your source IP address with your NAT IP address within your encryption domain. Below is an example of how to accomplish this.

Continue reading »

written by SideKick - 4,633 views

How many of you want to connect to your work using your Mac OS X desktops and laptops?  Well, there is some good news for you.   We have tested this using VPN Tracker 5.4.1 and successfully connected to StoneGate Firewall versions 4.2.8, 4.3.2 and 5.0.1 without issue.

It even gets a Virtual IP address via MODE CFG like the StoneGate Windows Client.  Still with Certificate authentication though (XAUTH works also, but not alone.  It still requires a cert in any case.)

NOTE — Don’t use static Username/Password (e.g. don’t set anything for username/password fields via Edit or you won’t be prompted for a username / password)

So, let’s break this into 3 sections,  The Mac OS X Steps, VPN Tracker Steps, & StoneGate Settings.

Continue reading »

written by SideKick - 5,246 views

Sometimes it may be necessary to apply NAT rules to VPN traffic coming out or getting in the tunnel.

It is not quite typical and not this easy with other vendor solutions, but is “piece of cake” with StoneGate.

Please note, nowever, that it is disabled by default in VPN profile properties, so no matter what kind of NAT rules for allowed VPN traffic you create, it will not be NATted and it is causing lots of confusion sometimes.

To enable the desired functionality, go to “Configuration”->”VPN”, select the desired VPN profile, right click, select “Properties” (Ctrl+R) and then click the “Apply NAT to traffic that uses this VPN”.

Refresh the policy and … viola – now you can adjust your IP addressing scheme however you want!

written by DR - 1,529 views

Generally we want or it is mandatory to use the Virtual IP feature with the Stonegate VPN client. But the Virtual IP needs to configure DHCP relay to give an IP to the remote VPN client.

So to clarify the situation about this topic, granting virtual address for client changed in version 4.2.0 and new changes were introduced in FW 4.2.6.

You will see below some description to help you in configuration and understanding of this DHCP part.

Continue reading »

written by Hokkyokuguma - 2,590 views \\ tags: DHCP, mvpn client, tech details, Tips & Tricks, Virtual IP

StoneGate Management Center 5.0 introduces a new network diagram type: VPN diagrams. That gives you two interesting opportunities:

• Visualize the VPN topologies
• Monitor the status of VPN tunnels

VPN diagrams are autogenerated in the System Status view. You’ll see the VPN topology and the status of the VPN tunnels with a single click. You can also select individual Gateways from the Status tree. Then system draws you a diagram that includes all the tunnels of all your VPNs in which the selected gateway is used. And if these features don’t still satisfy your needs, you can of course create your custom VPN network diagrams that show you exactly the information you need. Network diagrams are btw a convenient tool also for documenting your environment.

written by Tero Jantunen - 4,082 views \\ tags: 5.0, Features, SMC, stonegate, VPN

If there is a link with a smaller MTU somewhere between the VPN gateways, the router connected to the link will send ICMP fragmentation needed message (type 3, code 4) as a response to ESP packets that have DF bit set and that are bigger than the MTU.

However, only the MTU information is stored on the firewall at that time but no ICMP error message is sent to the endpoint of the original connection.

When the host in the internal network sends the following packet, that’s when the firewall handling the connection will reply with the ICMP error message.

written by RoarinPenguin - 4,291 views \\ tags: engine, fragmentation needed, ICMP, VPN