Solved

using microsoft vpn pptp client from BEHIND Checkpoint Gateway

Posted on 2007-03-28
12
2,057 Views
Last Modified: 2013-11-16
Using AI r55 trying to  use a windows pptp vpn client to connect to a remote Gateway.
The remote gateway is a Draytek router.
Now when I'm NOT behind my Checkpoint Gateway, I can connect to this without any problems, but going
through the Gateway I cannot connect.
Looking at my logs I see accepts for rule 6 & i don't see any drops for source or destination
Rule 5  Source my local lan & My Checkpoint Gateway::     to destination:: Remote Gateway & My Checkpoint gateway::: Service Any

Now When I fire up the Microsoft PPTP Client I can see it Authenticating, but it doesn't connect. As far as I can see there are no drops in the logs.
My local network is 10.1.0.0 255..255.0.0
When I connectto the remote Gateway I should be allocated a
10.0.0.X 255.255.255.0 address

ANY IDEAS AS i AM NOW DESPERATE?

 

0
Comment
Question by:lowfell
  • 5
  • 5
  • 2
12 Comments
 
LVL 9

Expert Comment

by:David Piniella
ID: 18811310
are you allowing both TCP 1723 and GRE (IP protocol number 47) through the gateway. if you don't have both, the connection won't be made.
0
 

Author Comment

by:lowfell
ID: 18812546
I have a rule that says
Rule6    Any Source  to my Gateway for PPTP & GRE
Rule 7   From my local lan to the remote gateway for ANY Traffic
             From the REMOTE Gateway to MY Gateway for ANY Traffic
             From My Gateway to My Local lan for ANY Traffic
When I try to connect I see the client Authenticating, then it waitsa while then says            
"The remote computer did not respond"
I SEE NO DROPS IN THE LOGS
0
 
LVL 6

Expert Comment

by:Dooglave
ID: 18812861
In SmartView Tracker Run the SmartDefense Filter and see if there are any drops.
If you do then check your SmartDefense Settings Under Application Intelligence | Vpn Protocols | PPTP Enforcement

If not at the command line run these two commands at the same time:
 fw ctl zdebug drop > pptpdrops.txt
 fw monitor -e "accept;" -o pptpdrops.cap
 reproduce the issue, the use Ctrl-C to stop the debugs.

If your running windows on the GW then just open two command lines, if your running Linux you can use Ctrl-Alt F1 and F2 Terminals to run both commands at the same time.

Look at the files your self with a text editor like UltraEdit and Wireshark for the cap file. Or put them on a ftp server or something and send me the link.
0
 

Author Comment

by:lowfell
ID: 18814479
Ok, I've tried the above and can still see no drops. However I have discovered the following.
We Have RA users who connect to the CHECKPOINT GATEWAY VIA SECURE CLIENT The recieve
a 10.0.x.x. 255.255.0.0 address when connecting to the local network
The local network is
10.1.X.X 255.255.0.0

The REMOTE NETWORK  is 10.0.0.X 255.255.255.0
& when I connect to this network with the windows pptp client I get a 10.0.0.X 255.255.255.255 address
IS THIS WHY IT DOESN"T WORK BECAUSE OF THE ADDRESS CLASHING?

Can I change my LOCAL address pool from 10.0.X.X to say 172.31.X.X
If I change my address pool to 172.31.X.X will I still be able to connec to the 10.1.x..x Network?

0
 
LVL 6

Accepted Solution

by:
Dooglave earned 500 total points
ID: 18815313
It would make more sense to change the pool on the pptp server.  You already have everything else up and working with the LAN pool you have defined. If you change the LAN pool then you will have to fix your rulebase, anti-spoofing settings, and your encryption domain on the Check Point Server. Also if you have your Check Point GW licensed to the internal interface then you will have to change your license.

But you are on to something because the remote client needs to be on a different network other than the internal network. Otherwise the internal end point host when they try to reply to the traffic will route the traffic locally, arp for the locally connected host. If it's another network they either have a route to that network or it goes out the default GW. You gotta get it back to the pptp end point so it can encrypt the traffic and send it across the tunnel back to the remote client.
0
 

Author Comment

by:lowfell
ID: 18822406
OK, just so I'm not wasting my time perservering.

Should I be able to use a Windows PPTP VPN client to connect to a remote gateay from BEHIND A CHECKPOINT GATEWAY?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 9

Expert Comment

by:David Piniella
ID: 18824721
if the ports & protocols are allowed, yes. if the VPN doesn't build because ot some incorrect parameters (as suggested above by the IP pool problems) then that's another matter.
0
 
LVL 6

Expert Comment

by:Dooglave
ID: 18826243
If you really want to solve the problem you have to know what the problem is, looking at the kernel drops and the packet capture you can figure this out:

At the command line run these two commands at the same time:
 fw ctl zdebug drop > pptpdrops.txt
 fw monitor -e "accept;" -o pptpdrops.cap
 reproduce the issue, the use Ctrl-C to stop the debugs.

If your running windows on the GW then just open two command lines, if your running Linux you can use Ctrl-Alt F1 and F2 Terminals to run both commands at the same time.

Look at the files your self with a text editor like UltraEdit and Wireshark for the cap file. Or put them on a ftp server or something and send me the link.
0
 

Author Comment

by:lowfell
ID: 18837212
I was TOTALLY puzzled as to why this didn't work as I could not see any drops in my logs, only green for go!

So I had a dig around on the Checkpoint site & found this, which basically says that pptp out from behind a gateway won't work with hide nat!
https://secureknowledge.checkpoint.com/SecureKnowledge/viewSolutionDocument.do?lid=sk31770&partition=PUBLIC&product=VPN-1%20Pro%20(VPN-1/FW-1)

Basically I have used STATIC one-to-one nats & this now works, luckily only three people need the access so it wasn't so hard to get the addresses.
THIS NOW WORKS. THANKS TO ALL WHO HELPED ME.

I  DO THINK THAT IT'S A POOR SHOW THAT IT DOESN'T WORK WITH HIDE NAT?
0
 
LVL 6

Expert Comment

by:Dooglave
ID: 18840118
Hide NAT PPTP clients are supported in VPN-1 Pro NGX R60 and up, but only if enabled in the SmartDefense tab.


In SmartDashboard:

   1. Select 'SmartDefense > Application Intelligence > VPN Protocols > PPTP Enforcement' and verify that the PPTP Enforcement checkbox is checked.

   2. Install policy.
0
 
LVL 6

Expert Comment

by:Dooglave
ID: 18954418
So have you made any progress?
0
 

Author Comment

by:lowfell
ID: 18961176
Because we are are on R55 I had to use Static nat THIS NOW  WORKS With Static Nat. I want to close the  call now. I'll give you the points. Although you didn't get me the solution strictly speaking you have been very helpful & I greatly appreciate your help.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Sometimes, you want your microsoft VPN to route all the traffic to the remote network. Usually your employer network. This makes it possible to access all the nodes inside this remote LAN, even if they have no "public DNS" entries. To do so, you wo…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now