04-09-2012 11:19 PM
Hi!
I am using an SRP527W as gateway to the internet at home.
The router is running newest Firmware Version 1.01.26
Everything running fine so far, except getting a connection to the vpn network of the comany i am working for.
They have checkpoint firewall an on my corporate notebook the Checkpoint SecureClient is installed.
My network is configured like this:
Internet --- dsl/pots line --- SRP ---- 24 Port SWITCH (SRW224) ---- Wifi-AP (E2000)
I tried the notebook on Wifi, on the Switch with Lan Cable, and directly on a LAN Port of the SRP, same Problem everywhere.
The client tries to connect but timouts all the time, so i guess the packets coming back are not passing the SRP.
When changing the SRP to the original modem/router that i got from the ISP, the VPN connection is working.
With the 3G Data Card in the notebook the connection is also established without problems.
On the SRP the Passthrough VPN Options are checked.
Before i had Linksys WAG200 installed with the same problem.
I changed to the SRP because i need the built in VPN server (working perfect also), and also i was hoping to get the Checkpoint VPN working.
So, any hints about that?
Greetings
H.B.
04-17-2012 11:43 PM
Hi!
Really no ideas guys?
Do you need more details?
It would be very fine to get this working, but without help i don't get it.
With google search i found out, that on other cisco devices they got it running with access lists (open some ports for specific checkpoint firewall ip adress). But i guess access lists are not implemented in SRP?
Greetings
H.B.
04-18-2012 01:32 PM
Hello Hubert,
What kind of VPN client is the software you are using? Is the Checkpoint software IPSEC? if it is you might look and see if they have the ability to reduce the MTU of the adapter. Cisco VPN client has this ability so if the MTU is over the WAN limits it will fragment the packet causing the packet to be dropped. If you lower the VPN Client MTU to below the fragment size it should work.
It sounds like it might be a configuration issue on the CheckPoint software. If they are not able to modify you might be able to trick it by artificially setting the WAN MTU on your SRP, but that would set all packets to that lower MTU which might reduce performance.
Cisco Small Business Support Center
Randy Manthey
CCNA, CCNA - Security
04-19-2012 03:20 AM
Hi Hubert,
I'm really not at all familiar with the Checkpoint client, but from a quick look around the Internet, see if the following works:
Create a port forwarding rule for udp port 2746 - this is Checkpoint specific encapsulation. Trigger this on outbound port 500 traffic.
Config should look something like the following:
If that doesn't work, try also adding a forwarding rule for udp port 18234 (I think this has something to do with tunnelling - not sure if your client is attempting to use that.
If that doesn't work, please grab a Wireshark trace from your PC when attempting to set up the connection.
Regards,
Andy
04-19-2012 09:53 AM
Hi Andy and Randy!
Thanks for your answers.
I tried both of them, lowering mtu size to 1400 and adding these Port Range Triggerings, without success.
Sitll the same, no answer from gateway.
In checkpoint secure client diagnostics i can see that there is a problem with ike negotiation phase 1 (failure -125).
I can see that the client tries to connect to destination port 18234, source port is some random port.
Also in wireshark i can see that the client tries to connect every secound to destination ip with port 18234.
But i can't see any incoming packets.
On the client i have 3 profiles, but i can't change settings. I only can choose one of the profiles, but none is working.
The difference in the profiles are some combinations of checked or unchecked parameters like use nat tunnel, ike over tcp, udp encapsulation.
So looks like, answer from the gateway in ike phase 1 is not receiving my pc.
Regards
H.B.
04-19-2012 10:53 AM
Hi,
I notice that IKE may use TCP or UDP port 500. Try changing the protocol in the above triggering example to both.
So - and apologies for making this a little hit a miss - try the following:
1. Create multiple trigger rules (as above, but with the following forwarded ports):
a) 500, both
b) 18231, both
c) 18234, UDP
d) 2746, UDP
2. If that doesn't work, try creating static NAT port forwarding rules for all of the above ports. This requires the client to have a specific, static IP address, which of course is not ideal, but at least might help isolate where we need to look closer at this.
Cheers
Andy
04-19-2012 12:02 PM
Hi!
I tried with static port forwardings:
But still the same:
The shorter .1 dest IP adress is the internal ip of the gateway, but still not completing phase 1 it's clear that i can't acces this one.
But very strange, no incoming packets, and no i did not filter them out :-)
I changed to wired lan in this test, before it was wifi connection, therefore my new internal ip .69
Regards
H.B.
04-20-2012 06:41 AM
It looks like you are double NATing? Is the WAN a private address on the SRP? If so this could be the issue. VPN's don't work well when they are NATTed once if NATTed twice they barley ever work. You might need to get the router on a public Ip that might mean setting the modem to bridge mode.
Cisco Small Business Support Center
Randy Manthey
CCNA, CCNA - Security
04-20-2012 08:33 AM
Hi Randy!
I'm using the internal dsl modem (PPPoA) of the srp, and get dynamic public WAN IP from the provider.
My configuration is like this:
POTS/DSL Line ------- SRP------ Switch -------- Notebook
Don't know where a double nat should be.
Regards
H.B.
04-20-2012 09:06 AM
I am looking at the wire capture and the WAN configuration and I see the ip of 10.x.x.x as the WAN address. This is a private address on the WAN. So from the LAN of what ever the subnet is to WAN would need to NAT then from the WAN IP of 10.x.x.x to what ever your public ip is on that network. If you go to ipchicken.com what is your outside ip address?
That is the address that should be on your SRP, you might have to talk to your provider to get this resolved. I would think they were giving you a Public address if you are the modem.
Cisco Small Business Support Center
Randy Manthey
CCNA, CCNA - Security
04-20-2012 10:44 AM
Ok, i think i know what you mean.
The trace was taken directly on the notebook where the checkpoint client is installed.
Therefore the source ip is a 10.17.1.xxx private lan ip adress from srp dhcp server.
My public ip at the moment is an 80.123.x.x. adress, i can also see it on the srp > interface setup > internet setup page
Interface WAN1, PVC0, PPPoA connection, ip 80.123.x.x
04-20-2012 11:10 AM
I don't want to assume anything so I will ask, this works at a different location correct?
Does it work hard wired? It looks from the diagram you are wireless correct?
You will need to forward all ports on the machine doing NAT to the gateway
related to SecurClient/SecureRemote.
From their KB:
If there are other firewalls Allow the following services:
TCP/264 (Topology Download)
IKE
IPSEC and IKE (UDP on port 500)
IPSEC ESP (IP type 50)
IPSEC AH (IP type 51)
TCP/500 (if using IKE over TCP)
UDP 2746 or another port (if using UDP encapsulation)
SecureClient specific connections:
FW1_scv_keep_alive (UDP port 18233) — used for SCV keep-alive packets
FW1_pslogon_NG (TCP port 18231) or (TCP port 65524 for Application
Intelligence) — used for SecureClient's logon to Policy Server protocol
FW1_sds_logon (TCP port 18232) — used for SecureClient's Software Distribution
Server download protocol tunnel_test (UDP port 18234) - used by Check Point tunnel testing application
Cisco Small Business Support Center
Randy Manthey
CCNA, CCNA - Security
04-20-2012 11:33 AM
It works with 3G pcmcia data card in the notebook.
It also worked with the origial pirelli modem/router which was installed by my dsl provider; without configuring anything like port forwardings. It also works at a friend who has speedtouch modem/router.
On srp it is not working, no matter how i connect the notebook to the lan. The first trace i posted with ip 10.17.1.66 was from wifi, the second with .69 ip from wired lan.
It also did not work with linksys wag200g i used before i bought srp (had this wag at home from my last provider).
So ist looks a little bit like cisco/linksys problem, maybe the other vendors detect this as vpn traffic and let it pass through their devices?!? I don't know.
I will try these port forwardings also just to be sure, anyway i don't want to keep all these ports opened all time, or activate them when i need it, so i will have to find bettet solution IF it's working then.
04-20-2012 12:02 PM
If that still dosn't work I would suggest calling into the 1866-606-1866 phone support make sure you provide the forum post so you don't have to go back through some of the trouble shooting they can attach the forum post to the case. We don't have a Checkpoint router but we can test with some other IPSEC software and see if it blocks it as well. If it dosn't block it then we may have to team try to connect to your Checkpoint through a SRP to see if we can replicate.
Cisco Small Business Support Center
Randy Manthey
CCNA, CCNA - Security
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide