[Date Prev][Date Next][Thread Prev][Thread Next][Thread Index]

[fw1-gurus] SecureClient in internet Vpn to Vpn gateway with natted address.

Subject: [fw1-gurus] SecureClient in internet Vpn to Vpn gateway with natted address.
From: <Diego.Balgera@xxxxxxxxx>
To: <fw1-gurus@xxxxxxxxxxxxxxxxxx>
Date: Sat, 25 Dec 2004 23:07:52 +0100

i gurus,
hopefully a simple question.

I have a checkpoint NGAI R55 (over Windows) with the external interface,
which leads to internet, having a private Ip address and it is just
behind a Nat, an Adsl router.
I would like to establish a Vpn from a SecureClient on internet to this
Checkpoint box.
So I forwarded all the relevant protocols on the Adsl router to the
Checkpoint box in order to allow the traffic generated from the
SecureClient, directed to the Adsl router (public interface) to reach
the Vpn gateway.

The site creation succeeds. But when I try to establish the Vpn from the
SecureClient, it generates the Ike traffic towards the private interface
of the Vpn gateway, and of course they don't reach the Adsl router as
they are dropped in internet.
The same behaviour if I set the Nat encapsulation.

------------------------------------------------------------------------
--

An example:

SecureClient (60.1.1.1) ----------> (212.1.1.1) Adsl router
(192.168.1.1) ----------> (192.168.1.2) Cp NGAI box

The SecureClient tries to establish the Vpn to the address 212.1.1.1 and
the Adsl router forwards the relevant protocols to 192.168.1.2.
The forwarded protocols are Esp, Ike (Udp/500), Ike over Tcp (Tcp/500),
Rdp for Vpn negotiation (Udp/259), tunnel_test (Udp/18234), Fw1_topo
(Tcp/264), Vpn1_IpSec_encapsulation (Udp/2746).

The site 212.1.1.1 creation in SecureClient succeeds. But when the
SecureClient tries to establish the Vpn to the site with address
212.1.1.1, it sends the Ike packets to 192.168.1.2 instead of 212.1.1.1.
The odd thing is that Ike is used in both site creation and Vpn
connection, but during the site creation Ike packets are sent to
212.1.1.1, during Vpn connection to 192.168.1.2.

------------------------------------------------------------------------
--

The SecureClient is R56, tried with builds 311 and 615.

Could you please suggest where I'm wrong and if what I'm trying to do is
technically possible?

Thank you in advance!
Diego.

---------------------------------------------------------------------
FireWall-1 Gurus Mailing List (http://www.phoneboy.com/gurus)
To unsubscribe, mailto:fw1-gurus-unsubscribe@xxxxxxxxxxxxxxxxxx
For additional commands, mailto:fw1-gurus-help@xxxxxxxxxxxxxxxxxx

Follow-Ups:
- Re: [fw1-gurus] SecureClient in internet Vpn to Vpn gateway with natted address.
  - From: Rob Hughes

Prev by Date: [fw1-gurus] Clients behind a Enforcement Module can't not establish a PPTP VPN connection to Win2K3 VPN server behind other Enforcement Module
Next by Date: Re: [fw1-gurus] Secureclient
Previous by thread: [fw1-gurus] Clients behind a Enforcement Module can't not establish a PPTP VPN connection to Win2K3 VPN server behind other Enforcement Module
Next by thread: Re: [fw1-gurus] SecureClient in internet Vpn to Vpn gateway with natted address.
Index(es):
- Date
- Thread