• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1007
  • Last Modified:

How to liberate Checkpoint VPN NGX R60 through OpenBSD firewall?

I need to allow external access for Checkpoint VPN NGX R60 through an OpenBSD firewall, but I couldn't find any solution yet. Does anyone knows how can I do this?
1 Solution
nociSoftware EngineerCommented:
Assuming you mean IPSEC VPN access there is a challenge if the OpenBSD firewall also does NAT.
NAT and IPSEC don't behave well together. (well IPSEC was meant to verify the others credentials, and NAT is a kind of lying about identity...);

Effectively the ESP protocol (tunnel) is IP protocol 50
Like TCP is 6 and UDP = 17.
ESP has no concept of ports so you can only pass it on to one host internaly.
In that case you need to be able to set a different local gateway address on the VPN appliance then its own external address.

Besides this there is the IKE protocol (UDP port 500 for both Source & destination) so
here also there can only be one inside.

Some firewall appliances use port 4500 to pack ESP into UDP packets to allow NAT. That's called NAT-T.

I dont known Checkpoint firewalls but use openswan myself and I have access to Zywall firewalls. The former one can handle this kind of connection, the second one cannot.
Do you want checkpoint to act as VPN server or as a client?
alexandrethsilvaAuthor Commented:
Thanks for the light. I was thinking that no one was goin' to solute this. Thanks a lot. We didn't fully tried your solution yet, but it seems to be the right one. See you.

Featured Post

The eGuide to Automating Firewall Change Control

Today‚Äôs IT environment is constantly changing, which affects security policies and firewall rules. Discover tips to help you embrace this change through process improvement & identify areas where automation & actionable intelligence can enhance both security and business agility.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now