We help IT Professionals succeed at work.

How to liberate Checkpoint VPN NGX R60 through OpenBSD firewall?

I need to allow external access for Checkpoint VPN NGX R60 through an OpenBSD firewall, but I couldn't find any solution yet. Does anyone knows how can I do this?
Watch Question

Software Engineer
Distinguished Expert 2019
Assuming you mean IPSEC VPN access there is a challenge if the OpenBSD firewall also does NAT.
NAT and IPSEC don't behave well together. (well IPSEC was meant to verify the others credentials, and NAT is a kind of lying about identity...);

Effectively the ESP protocol (tunnel) is IP protocol 50
Like TCP is 6 and UDP = 17.
ESP has no concept of ports so you can only pass it on to one host internaly.
In that case you need to be able to set a different local gateway address on the VPN appliance then its own external address.

Besides this there is the IKE protocol (UDP port 500 for both Source & destination) so
here also there can only be one inside.

Some firewall appliances use port 4500 to pack ESP into UDP packets to allow NAT. That's called NAT-T.

I dont known Checkpoint firewalls but use openswan myself and I have access to Zywall firewalls. The former one can handle this kind of connection, the second one cannot.
Top Expert 2015

Do you want checkpoint to act as VPN server or as a client?


Thanks for the light. I was thinking that no one was goin' to solute this. Thanks a lot. We didn't fully tried your solution yet, but it seems to be the right one. See you.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.