- Posts: 6
- Thank you received: 0
VPN CheckPoint - SecuRemote
17 years 6 months ago #21981
by shaj
VPN CheckPoint - SecuRemote was created by shaj
Hi everyone,
Any help would be great.
I'm trying to set up a vpn client,
My current set up is :
Dynamic Ip - Using dynamic DNS.
I have netgear router - natting 192 address to the net.
I have checkpoint firewall sitting behing the router - external interface connected to 192 address and internal address connectied to 10.0 address.
Firewall is all set up to allow remote access VPN.
On my laptop I have Checkpoint securemote client installed.
I can connect to my Firewall from my the laptop using my dynamic dns name wich will allow me to download all topology and I'm able to create a site.
The problem is once this is done I'm unable to make any connection through the tunnel. Used wireshark to monitor traffic which shows the laptop source address is trying to reach destination 192 address (192 address is shown as the destination address once site is created) which is my firewall adress. Obviously this is not a routeable address.
Question is can this be done.
Is it possible to create a vpn when your Firewall is on a 192 to address sitting behing the router which is natting traffic out bearing in mind that I was able to create a site and authenticate but when trying to connect to a devices it's trying to reach the 192 address.
Confused ? - please accept my apology
Any help will be much appreciated.
Many thanks
Any help would be great.
I'm trying to set up a vpn client,
My current set up is :
Dynamic Ip - Using dynamic DNS.
I have netgear router - natting 192 address to the net.
I have checkpoint firewall sitting behing the router - external interface connected to 192 address and internal address connectied to 10.0 address.
Firewall is all set up to allow remote access VPN.
On my laptop I have Checkpoint securemote client installed.
I can connect to my Firewall from my the laptop using my dynamic dns name wich will allow me to download all topology and I'm able to create a site.
The problem is once this is done I'm unable to make any connection through the tunnel. Used wireshark to monitor traffic which shows the laptop source address is trying to reach destination 192 address (192 address is shown as the destination address once site is created) which is my firewall adress. Obviously this is not a routeable address.
Question is can this be done.
Is it possible to create a vpn when your Firewall is on a 192 to address sitting behing the router which is natting traffic out bearing in mind that I was able to create a site and authenticate but when trying to connect to a devices it's trying to reach the 192 address.
Confused ? - please accept my apology
Any help will be much appreciated.
Many thanks
17 years 6 months ago #21987
by lomaree
Replied by lomaree on topic Re: VPN CheckPoint - SecuRemote
hi,
this is what i have understood from your question, but i need a little more explanation in your scenario.
your netgear router in responsible for the internet connectivity and your FW sits behind inside your LAN, your LAN clients "laptop" use ip subnet 10.0.x.x. you have checkpoint securemote client installed on your LAN 10.0.x.x laptop . rite
1. what is your firewall ?
2. the checkpoint client you have installed where are you connecting it to, checkpoint NG-01 firewall (remote location ) rite.
3. you are doing nat on your firewall also. rite ?
you are trying to pass IPSEC & ISAKMP traffic through while NATTING twice (FW and ROUTER), this is not at all recommened, believe me.
you will be able to create the site as it only just ensurs the connectivity to destination but when you will try to connect it, it means passing encrypted traffic (IPSEC and ISAKMP)
for checkpoint securemote, you would have to make sure that you have port 500 and other port for securemote vpn client be opened on your firewall and also should be a NONAT for this ip.
if you want ports for securemote vpn client i can do a search for you or you can simply allow the whole ip traffic for this particular laptop in your FW acl instead of going into the hassle of defining ports indivisually.
HTH
this is what i have understood from your question, but i need a little more explanation in your scenario.
I have netgear router - natting 192 address to the net.
I have checkpoint firewall sitting behing the router - external interface connected to 192 address and internal address connectied to 10.0 address.
your netgear router in responsible for the internet connectivity and your FW sits behind inside your LAN, your LAN clients "laptop" use ip subnet 10.0.x.x. you have checkpoint securemote client installed on your LAN 10.0.x.x laptop . rite
1. what is your firewall ?
2. the checkpoint client you have installed where are you connecting it to, checkpoint NG-01 firewall (remote location ) rite.
3. you are doing nat on your firewall also. rite ?
you are trying to pass IPSEC & ISAKMP traffic through while NATTING twice (FW and ROUTER), this is not at all recommened, believe me.
you will be able to create the site as it only just ensurs the connectivity to destination but when you will try to connect it, it means passing encrypted traffic (IPSEC and ISAKMP)
for checkpoint securemote, you would have to make sure that you have port 500 and other port for securemote vpn client be opened on your firewall and also should be a NONAT for this ip.
if you want ports for securemote vpn client i can do a search for you or you can simply allow the whole ip traffic for this particular laptop in your FW acl instead of going into the hassle of defining ports indivisually.
HTH
17 years 6 months ago #21998
by shaj
Replied by shaj on topic Re: VPN CheckPoint - SecuRemote
Hi there,
thanks for your response,
You asked the following questions.
1. what is your firewall ?
Checkpoint NGX
2. the checkpoint client you have installed where are you connecting it to, checkpoint NG-01 firewall (remote location ) rite.
Client installed on Laptop, I'm connectiing to my domain name which is resolves to 90.199.*.* (using dynamic dns - sky broadband)This is the the address of th my Netgear external interface. Once I make the connection to the 90.199*.8 address from the outside I'm able to create a site and authenticate but when try to do a telnet session to one my internal device through tunnel - no response. Wireshark shows the laptop address is trying to make connection to 192.* address which is the external interface of my firewall.
3. you are doing nat on your firewall also. rite ?
No nating on Firewall, only on Netgear router (standard nating adsl broadband router performs). I have rule on Netgear router to allow incoming traffic to my Firewall external interface 192* address.
I can see VPN packets (ISAKAMP, etc) on my firewall when connecting from the outside through VPN client by my laptop.
However the problem is once I made the connection and all topology downloaded and a site is created I'm unable to make a connection to any my device in my network coz the site topology on my vpn client says destination address 192* which is my firewall and obviously it can't route coz it's private address.
Is there any way around this ?
I hope that is clearer.
Once again thanks for your help.
thanks for your response,
You asked the following questions.
1. what is your firewall ?
Checkpoint NGX
2. the checkpoint client you have installed where are you connecting it to, checkpoint NG-01 firewall (remote location ) rite.
Client installed on Laptop, I'm connectiing to my domain name which is resolves to 90.199.*.* (using dynamic dns - sky broadband)This is the the address of th my Netgear external interface. Once I make the connection to the 90.199*.8 address from the outside I'm able to create a site and authenticate but when try to do a telnet session to one my internal device through tunnel - no response. Wireshark shows the laptop address is trying to make connection to 192.* address which is the external interface of my firewall.
3. you are doing nat on your firewall also. rite ?
No nating on Firewall, only on Netgear router (standard nating adsl broadband router performs). I have rule on Netgear router to allow incoming traffic to my Firewall external interface 192* address.
I can see VPN packets (ISAKAMP, etc) on my firewall when connecting from the outside through VPN client by my laptop.
However the problem is once I made the connection and all topology downloaded and a site is created I'm unable to make a connection to any my device in my network coz the site topology on my vpn client says destination address 192* which is my firewall and obviously it can't route coz it's private address.
Is there any way around this ?
I hope that is clearer.
Once again thanks for your help.
17 years 6 months ago #22005
by TheBishop
Replied by TheBishop on topic Re: VPN CheckPoint - SecuRemote
What is the ip address being obtained/assigned to your laptop? If this is also a 192 address it'll never work. If that's the case, change your laptop address to a different private IP address range
17 years 6 months ago #22036
by shaj
Replied by shaj on topic Re: VPN CheckPoint - SecuRemote
Hi the IP address on the laptop is a routeable address and not 192. Thanks
17 years 6 months ago #22037
by TheBishop
Replied by TheBishop on topic Re: VPN CheckPoint - SecuRemote
I've re-read your post carefully and I think the issue here may be the 192 address that your Checkpoint has. As you say, it's going to be a problem for the internet to route anything to a 192 destination which is why your VPN can't get to the other end of the link. Our VPN here isn't a Checkpoint one, but the VPN endpoint device in the office has a 'real' internet address so it can be found. However the fact that you're able to make the inital connection confuses me a bit. Perhaps that is working because you have some port forwarding going on? I wonder if it might be possible to set up a static NAT (port forward) on the Netgear to forward everything coming into its address (i.e. the Netgear's real internet IP address) on the port the VPN uses to the 192 address of the Checkpoint. You'd then have to point your VPN client to the Netgear's address for it to work. It all seems messy however, and it would be much more straightforward if you were using fixed internet IP addresses allocated by your ISP instead of dynamic DNS. I'm not sure if that is an option for you though
Time to create page: 0.140 seconds