Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Checkpoint VPN through Iptables

Posted on 2010-08-23
5
Medium Priority
?
917 Views
Last Modified: 2012-05-10
My company have a firewall Linux / iptables, managed by firewallbuilder.

There is a user in my company, that needs to access a another company using a VPN client (Check Point VPN-1 SecureClient NGX R60 HFA2). But I am not able to perform this configuration in firewallbuilder / iptables.

The another company IT, which has firewall checkpoint, said that I needed just allow udp 500 port to ther firewall and put the rule as stateful. I confirmed that all rules in firewallbuilder are stateful by default and even allow all ports from client to destination, the VPN client does not work.

How can I troubleshoot this problem?
0
Comment
Question by:strausswalter
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 8

Accepted Solution

by:
jimmyray7 earned 2000 total points
ID: 33503902
Try also allowing UDP port 4500, which is sometimes used if a client is behind NAT.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 33519914
I have a cp secureclient (r60, but r56 works too) behind a nat. the boxes to tick are office mode and both udp encapsulation boxes in the advanced settings properties page for the connection.
0
 

Author Comment

by:strausswalter
ID: 33521468
I am concluding that the problem is not about ports, I already allow all ports. The problem apparently, is NAT related. I sow that IPSec is not compatible with traditional NAT, I would have to enable NAT-T. I am researching how to setup this type of NAT in iptables.

Using a direct Internet link at client computer (without NAT), the VPN client run normally.
0
 

Author Comment

by:strausswalter
ID: 33585750
Problem solved.

With the help of the company that use this vpn client, I downloaded the VPN client and tried re-install the vpn client in another computer. Looking for the client IP in iptables logs (tail -f /var/log/messages | grep 10.220.2.4) I could see a connect to another company firewall IP (201.x.x.x) at 4500 port. But in a secound connection the VPN client attempted to connect in a strange internal IP (10.1.x.x) at port 500.

The problem was that another company already owned the network 10.220.0.0, but they did not realize it. We assume, after these results, that after the first access the VPN client downloaded the another company network topology and the vpn client thought that it was in the company network and attempted to access a internal server.

We create a separate VLAN to this client, with another network address.

Now it is working properly.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 33586747
no company owns 10.x.x.x - its an rfc1918 subnet :)
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question