[Date Prev][Date Next][Thread Prev][Thread Next][Thread Index]

RE: [fw1-gurus] SecureClient in internet Vpn to Vpn gateway with natted address.

Subject: RE: [fw1-gurus] SecureClient in internet Vpn to Vpn gateway with natted address.
From: "Hill, Lindsay, VF-NZ" <Lindsay.Hill@xxxxxxxxxxxx>
To: <Diego.Balgera@xxxxxxxxx>, <fw1-gurus@xxxxxxxxxxxxxxxxxx>
Date: Wed, 29 Dec 2004 08:15:39 +1300

We tried to do something along these lines a while ago, but were never
able to get it working - we saw pretty much exactly the same thing you
did. We ended up adding a secondary public address to the enforcement
module (in a private network), and routing that public address back in
to it. We then had some other issues where if you rebooted the box, the
replies would come from the private address, until you deleted the
public address and re-added it.

It all works much simpler if you can publicly address the enforcement
module.

HTH,

 - Lindsay

-----Original Message-----
From: Diego.Balgera@xxxxxxxxx [mailto:Diego.Balgera@xxxxxxxxx] 
Sent: Sunday, 26 December 2004 11:08 a.m.
To: fw1-gurus@xxxxxxxxxxxxxxxxxx
Subject: [fw1-gurus] SecureClient in internet Vpn to Vpn gateway with
natted address.


i gurus,
hopefully a simple question.

I have a checkpoint NGAI R55 (over Windows) with the external interface,
which leads to internet, having a private Ip address and it is just
behind a Nat, an Adsl router. I would like to establish a Vpn from a
SecureClient on internet to this Checkpoint box. So I forwarded all the
relevant protocols on the Adsl router to the Checkpoint box in order to
allow the traffic generated from the SecureClient, directed to the Adsl
router (public interface) to reach the Vpn gateway.

The site creation succeeds. But when I try to establish the Vpn from the
SecureClient, it generates the Ike traffic towards the private interface
of the Vpn gateway, and of course they don't reach the Adsl router as
they are dropped in internet. The same behaviour if I set the Nat
encapsulation.

------------------------------------------------------------------------
--

An example:

SecureClient (60.1.1.1) ----------> (212.1.1.1) Adsl router
(192.168.1.1) ----------> (192.168.1.2) Cp NGAI box

The SecureClient tries to establish the Vpn to the address 212.1.1.1 and
the Adsl router forwards the relevant protocols to 192.168.1.2. The
forwarded protocols are Esp, Ike (Udp/500), Ike over Tcp (Tcp/500), Rdp
for Vpn negotiation (Udp/259), tunnel_test (Udp/18234), Fw1_topo
(Tcp/264), Vpn1_IpSec_encapsulation (Udp/2746).

The site 212.1.1.1 creation in SecureClient succeeds. But when the
SecureClient tries to establish the Vpn to the site with address
212.1.1.1, it sends the Ike packets to 192.168.1.2 instead of 212.1.1.1.
The odd thing is that Ike is used in both site creation and Vpn
connection, but during the site creation Ike packets are sent to
212.1.1.1, during Vpn connection to 192.168.1.2.

------------------------------------------------------------------------
--

The SecureClient is R56, tried with builds 311 and 615.

Could you please suggest where I'm wrong and if what I'm trying to do is
technically possible?

Thank you in advance!
Diego.

---------------------------------------------------------------------
FireWall-1 Gurus Mailing List (http://www.phoneboy.com/gurus) To
unsubscribe, mailto:fw1-gurus-unsubscribe@xxxxxxxxxxxxxxxxxx
For additional commands, mailto:fw1-gurus-help@xxxxxxxxxxxxxxxxxx

-----------------------------------------------------------------------------------------------
Have you seen our website?.... http://www.vodafone.co.nz

Manage Your Account, check your Vodafone Mail and send web2TXT online: http://www.vodafone.co.nz/myvodafone

CAUTION: This correspondence is confidential and intended for the named recipient(s) only.
If you are not the named recipient and receive this correspondence in error, you must not copy,
distribute or take any action in reliance on it and you should delete it from your system and
notify the sender immediately.  Thank you.

Unless otherwise stated, any views or opinions expressed are solely those of the author and do
not represent those of Vodafone New Zealand Limited.

Vodafone New Zealand Limited
21 Pitt Street, Private Bag 92161, Auckland, 1020, New Zealand
Telephone + 64 9 357 5100
Facsimile + 64 9 377 0962

---------------------------------------------------------------------
FireWall-1 Gurus Mailing List (http://www.phoneboy.com/gurus)
To unsubscribe, mailto:fw1-gurus-unsubscribe@xxxxxxxxxxxxxxxxxx
For additional commands, mailto:fw1-gurus-help@xxxxxxxxxxxxxxxxxx

Prev by Date: RE: [fw1-gurus] r55 upgrade
Next by Date: RE: [fw1-gurus] Simplified Monitored Circuits and HA - Configuration issues.
Previous by thread: Re: [fw1-gurus] SecureClient in internet Vpn to Vpn gateway with natted address.
Next by thread: [fw1-gurus] problem with web visualization tools.
Index(es):
- Date
- Thread