SecuRemote vpn connection

Hello All !

I was trying to setup vpn connection with my Checkpoint NG R55 using SecuRemote client.

All Checkpoint's interfaces are private addresses so to connect from outside
NAT is performed on Cisco Router which serves as gateway to internet and one of it's interfaces is public.
The router is Cisco 832 SOHO Router.

Here's how it looks like:
I connect to public interface of the router with SecuRemote client.
The client is connecting to Firewall then I have a window asking for username and password but when client is exchanging keys with firewall nothing happens and I have a error that Communication failed.

on Checkpoint's side all is ok. I've setup a Remote access community, group, users, rules, ...
When I connect from internal network everything is fine
so I suppose problem is on Cisco Router - especially NAT configuration

Should I forward some ports to external clients ?
if yes which one ?

I've tried with forwarding udp-500 (IKE), tcp-264 (fw1_topo) ...
but it didn't help

any ideas and suggestions appreciated.

Thank You

What encryption scheme are you using? IPSec has some known difficulties when traversing a NAT router. Could you try FWZ instead maybe?

I'm using IPSEC which is standard for Checkpoint.

what's FWZ ?

Can I use it with Checkpoint ?

Yeah, I was having a quick skim of the documentation on Checkpoint's web site before I mentioned it. There are three encryption methods it supports, with FWZ being the built-in Checkpoint proprietary one. It also does IPSec and something else I can't remember. If you're using IPSec across a NATted router you definitley have some potential issues there, which is why I suggested maybe you could try one of the other schemes. I tried an IPSec VPN here last year and gave up on it because of similar problems to those you're describing. But a PPTP one worked almost first time

#1 show us your NAT statement on the cisco router
#2 what build of SecuRemote are you using? and what are your Advanced IKE settings? i.e. Force UDP/support IKE over TCP and is your firewall configured to allow those methods of connection.

direct from Checkpoint, and I even tested it out myself:

Solution ID: #sk11682

Product: VPN-1
Version: NG
Last Modified: 16-Mar-2004

Symptoms

The SecuRemote client manages to download topology from the static\routable IP and failed to communicate with encryption domain. The Security policy is defined as Simplified mode on the SmartCenter Server
ike.elg on the client:MainMode and ConfigMode are seceded with the static\routable IP (without QuickMode). MainMode with the internal IP of the FireWall-1 failed after packet one (the FireWall-1 is not receive it).

Cause

The SecuRemote is not sending MainMode packet one to the FireWall-1 because the destination IP is not routable IP (internal).

Solution

Generally, it is recommended to use the dynamic resolving mechanism on which the VPN-1 Gateway's interfaces are probed when SecuRemote client address the Gateway.
Notice that the dynamic resolving solution does not interfere with anti spoofing.
How to configure:

A. Dynamic resolving must be chosen for the gateway for remote access

Via global properties -> Remote Access -> VPN-1 Advanced -> Resolving Mechanism -> Select "Enable dynamic interface resolving..."

Enable dynamic interface resolving on the VPN-1 gateway itself (Via VPN Advanced tab). Choose either "Upon tunnel initialization" or "Upon every connection initialization"

B. Add an additional external interface to the VPN gateway, with the NATed IP as its address.

(Note on that last part - this is done to the checkpoint gateway object within smartdashboard. just add a non-existant interface (call it anything you want), give it the natted IP address, and make sure to set its topology as External)