How to liberate Checkpoint VPN NGX R60 through OpenBSD firewall?

I need to allow external access for Checkpoint VPN NGX R60 through an OpenBSD firewall, but I couldn't find any solution yet. Does anyone knows how can I do this?
alexandrethsilvaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nociSoftware EngineerCommented:
Assuming you mean IPSEC VPN access there is a challenge if the OpenBSD firewall also does NAT.
NAT and IPSEC don't behave well together. (well IPSEC was meant to verify the others credentials, and NAT is a kind of lying about identity...);

Effectively the ESP protocol (tunnel) is IP protocol 50
Like TCP is 6 and UDP = 17.
ESP has no concept of ports so you can only pass it on to one host internaly.
In that case you need to be able to set a different local gateway address on the VPN appliance then its own external address.

Besides this there is the IKE protocol (UDP port 500 for both Source & destination) so
here also there can only be one inside.

Some firewall appliances use port 4500 to pack ESP into UDP packets to allow NAT. That's called NAT-T.

I dont known Checkpoint firewalls but use openswan myself and I have access to Zywall firewalls. The former one can handle this kind of connection, the second one cannot.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gheistCommented:
Do you want checkpoint to act as VPN server or as a client?
0
alexandrethsilvaAuthor Commented:
Thanks for the light. I was thinking that no one was goin' to solute this. Thanks a lot. We didn't fully tried your solution yet, but it seems to be the right one. See you.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Unix OS

From novice to tech pro — start learning today.