I have a 3Com OfficeConnect 25 firewall and the Safenet IKE VPN
client.  The client appears to authenticate itself to the firewall
correctly (phase I and phase II both work).  However, after this
authentication, no data can be transferred through the VPN connection.
I can't even ping machines on the corporate LAN side of the firewall.  I am
trying to connect to the corporate LAN from a PC on the Internet which
has no NAT, although it does have a ZoneAlarm software firewall.  I have set
ZoneAlarm up to pass all traffic from the SafeNet client.

I would like to know how to debug this.

---

Clarification of Question by chrisdaft-ga on 14 Mar 2003 07:41 PST

Hi,

Thanks for writing, but this doesn't get me any further.  

I have already tried disabling ZoneAlarm (doesn't change anything) and
doing pings (the firewall drops them in both directions.)  Traceroute
doesn't help either - I can see that the traceroute packets aren't
going through the firewall, but it doesn't provide any other
information.  I do have the VPN firewall upgrade installed, as I can
set its parameters via a browser on the corporate side.  The ISAKMP
settings are right because I can see the phase 1 and phase 2
authentications going through successfully.  I have also read all of
3com's material on their web site, such as the FAQ you mention.

So my question is - given that I have tried all of this obvious stuff,
where do I go (short of using a packet sniffer which would result in a
gigantic/impractical amount of data to sift through)?

You are asking how to debug your VPN connection using 3Com
OfficeConnect 25 firewall on one end, and Safenet IKE VPN client on
the other.

My suggestions is as follows - remove/turn-off ZoneAlarm on client,
and any other applications that you even think uses the Internet. 
There are several apps that launch background database update and
version checks so make sure you do turn them off.  This reduces the
number of compatibility issues.

Record external/public client IP. record external/public corporate IP.
Ping corporate public IP from client public IP.
Ping client public IP from corporate public IP.

It is possible that one or both drops the ping, try traceroute both
ways too. It is also possible that both drops traceroute too. We are
just trying to see if we can reach each one.  Some ISPs block certain
packet types.

Make sure your corporate VPN is set up with IKE and the right ISAKMP
settings.

Have you checked if you have the latest VPN client?  Have you checked
you have the latest software on the corporate side?  Did you load the
VPN Upgrade on the OfficeConnect?

If you continue to have problems, and have exhausted 3COM support, you
will need to get a software that will allow you to look at packets on
both sides of the client (inside private IP, outside public IP), and
same at the corporate side.

You might want to start here
ftp://ftp.3com.com/pub/officeconnect/internetfirewall/internet_firewall_tshooting_faqs.pdf


Regards,
T

I am not sure I can suggest anything better then a sniffer.  All
current sniffer-like tools allow you to limit the source and
destination address, thereby eliminating much of the other
communication.  Have you tried alterniative clients?  Have you ever
been able to establish a VPN connection to this setup?