VPN-1 Checkpoint wrong gateway

VPN-1 Checkpoint wrong gateway
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Networking Firewalls    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
VPN-1 Checkpoint wrong gateway christian maier 05-27-2007
Posted by christian maier on May 27, 2007, 6:55 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Does anybody how does the checkpoint VPN-1 client get the gateway
address? Some strange things are happening here.
When the pc is connected directly to the modem of the internet provider
the vpn-1 connection works fine.
When the pc is connected to the private LAN, it can not connect to the
vpn-gateway (gateway not responding). The problem is, that the client
now wants to connect to a private gateway ip address and not to the
official address. And of course it can not reach a private address over
the internet.

Thanks.

Christian

Posted by Wolfgang Kueter on May 27, 2007, 8:28 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
christian maier wrote:

> Does anybody how does the checkpoint VPN-1 client get the gateway
> address?

It simply uses the routing table. 'netstat -rn' or 'route print' tells you,
how it looks like.

> Some strange things are happening here.

No, the effects you observe are pretty normal when running a VPN client
behind a NAT gateway.

> When the pc is connected directly to the modem of the internet provider
> the vpn-1 connection works fine.

OK.

> When the pc is connected to the private LAN, it can not connect to the
> vpn-gateway (gateway not responding). The problem is, that the client
> now wants to connect to a private gateway ip address and not to the
> official address. And of course it can not reach a private address over
> the internet.

Classic NAT-T Problem ...

IPSeC and NAT can be a bit of a problem ...

Wolfgang

Posted by Robby Cauwerts on May 28, 2007, 11:27 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> christian maier wrote:
> > Does anybody how does the checkpoint VPN-1 client get the gateway
> > address?
>
> It simply uses the routing table. 'netstat -rn' or 'route print' tells you,
> how it looks like.
>

Nope, the vpn client looks up the vpn gateway topology in the userc.C
file under: "C:\Program Files\CheckPoint\SecuRemote\database"

> > When the pc is connected to the private LAN, it can not connect to the
> > vpn-gateway (gateway not responding). The problem is, that the client
> > now wants to connect to a private gateway ip address and not to the
> > official address. And of course it can not reach a private address over
> > the internet.
>
> Classic NAT-T Problem ...
>

Does your private LAN ip address falls into a subnet located behind
the vpn gateway?
If yes: the vpn client looks into the userc.C and thinks that he's
direclty connected on a subnet behind the vpn gateway and will try to
connect to the ip address of the firewall on that subnet instead of
the public ip.

sk sk15830 will give you more information about this:

"Symptom:"Communication with site fails"

There can be a few reasons:

Key exchanges performed with the wrong interface IP address of the
VPN-1/FireWall-1 Module.

Explanation:
By default, the parameter "resolve_interface_ranges" is "true" in the
VPN-1/FireWall-1 Module's objects_5_0.C file. This parameter enables
the module to send its topology data to the Client during topology
download. In a situation with private IP networks, SecuRemote/
SecureClient may attempt and exchange keys with the wrong interface IP
address (private instead of public).

Workaround:
Set the parameter "resolve_interface_ranges" to "false" in
objects_5_0.C file.
"

Br.
Robby



Posted by flamer die.spam@hotmail.com on May 27, 2007, 9:32 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> Does anybody how does the checkpoint VPN-1 client get the gateway
> address? Some strange things are happening here.
> When the pc is connected directly to the modem of the internet provider
> the vpn-1 connection works fine.
> When the pc is connected to the private LAN, it can not connect to the
> vpn-gateway (gateway not responding). The problem is, that the client
> now wants to connect to a private gateway ip address and not to the
> official address. And of course it can not reach a private address over
> the internet.
>
> Thanks.
>
> Christian

you can create a rule to say when traffic from xx going to yy keep the
original source and destination address (ie. do not nat this packet)

Flamer.


Similar ThreadsPosted
Checkpoint FW1/VPN1 training October 19, 2005, 1:01 pm
Checkpoint multiple Gateway VPN February 8, 2005, 11:43 pm
VPN Symantec Gateway Security - Checkpoint Firewall October 26, 2006, 9:33 am
What is wrong with GoogleDesktopNetwork3.dll ? June 26, 2007, 8:40 pm
Sonicwall 4100 wrong NAT May 22, 2007, 2:53 am
Anything wrong with blocking "new" SYN/ACK packets? October 18, 2007, 10:26 pm
What's wrong with opening a port on the firewall? February 18, 2005, 7:26 am
Summary of what happens to a packet as it enters and then leaves the PIX\ASA firewall - please correct if you see something wrong - thx November 27, 2007, 2:46 am
Checkpoint - Deny traceroute through checkpoint firewall August 10, 2004, 3:27 pm
VPN-Gateway to VPN-Gateway February 22, 2005, 1:55 am

The site map in XML format XML site map

Contact Us | Privacy Policy