We help IT Professionals succeed at work.

How to liberate Checkpoint VPN NGX R60 through OpenBSD firewall?

I need to allow external access for Checkpoint VPN NGX R60 through an OpenBSD firewall, but I couldn't find any solution yet. Does anyone knows how can I do this?
Comment
Watch Question

Software Engineer
BRONZE EXPERT
Distinguished Expert 2019
Commented:
Assuming you mean IPSEC VPN access there is a challenge if the OpenBSD firewall also does NAT.
NAT and IPSEC don't behave well together. (well IPSEC was meant to verify the others credentials, and NAT is a kind of lying about identity...);

Effectively the ESP protocol (tunnel) is IP protocol 50
Like TCP is 6 and UDP = 17.
ESP has no concept of ports so you can only pass it on to one host internaly.
In that case you need to be able to set a different local gateway address on the VPN appliance then its own external address.

Besides this there is the IKE protocol (UDP port 500 for both Source & destination) so
here also there can only be one inside.

Some firewall appliances use port 4500 to pack ESP into UDP packets to allow NAT. That's called NAT-T.

I dont known Checkpoint firewalls but use openswan myself and I have access to Zywall firewalls. The former one can handle this kind of connection, the second one cannot.
Top Expert 2015

Commented:
Do you want checkpoint to act as VPN server or as a client?

Author

Commented:
Thanks for the light. I was thinking that no one was goin' to solute this. Thanks a lot. We didn't fully tried your solution yet, but it seems to be the right one. See you.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.