SecuRemote VPN connection

[SuderMan]

Hello All !

It's my first post so I'm not sure it's a good place to put here a post like this.

I was trying to setup vpn connection with my Checkpoint NG R55 using SecuRemote client.

All Checkpoint's interfaces are private addresses so to connect from outside
NAT is performed on Cisco Router which serves as gateway to internet and one of it's interfaces is public.
The router is Cisco 832 SOHO Router.

Here's how it looks like:
I connect to public interface of the router with SecuRemote client.
The client is connecting to Firewall then I have a window asking for username and password but when client is exchanging keys with firewall nothing happens and I have a error that Communication failed.

on Checkpoint's side all is ok. I've setup a Remote access community, group, users, rules, ...
When I connect from internal network everything is fine
so I suppose problem is on Cisco Router - especially NAT configuration

Should I forward some ports to external clients ?
if yes which one ?

I've tried with forwarding udp-500 (IKE), tcp-264 (fw1_topo) ...
but it didn't help

any ideas and suggestions appreciated.

Thank You

[alienbaby]

This will not work. You need to have a public address on the CheckPoint firewall.

NATing the SecuRemote connection at the router break the IPSec Tunnel.
Without getting into all the technical details, IPSec knows when you've changed the IP Headers.
The keying of the Tunnel most likely is successful, but the Client's VPN traffic to the firewall is being dropped at the firewall because the IPSec or IPSec in UDP packets have been tampered with.

Give your firewall a public IP Address. And I would further advise you to move your NATing to the Firewall. You'll find that it's easier and more powerful.

[SuderMan]

Ok now I know what's all about ...

Thank You very much for Your reply.

[Peter]

It's really best solution - to get the public IP at your CheckPoint box. But if you have a configuration where it's really not possible - there is a workaround to pass SecuRemote connexions in NAT traversal mode. Ask me for details if you're really need to do it (I have one installation like this - it works).
Also, I've seen some options in NGX - I think it would be possible to do it at NGX without any workaround.

[SuderMan]

Hello Peter.

Yes I'm really intrested in this.
If You could provide me with details how to do it it would be great !

Thanks.

[Peter]

The probleme is that your SeureRemote tries to connect to firewall using the downloaded topology (userc.c). There is no public IP in this file because this address is assigned to router, not to firewall. The idea is to assign this IP address to one virtual interface of the firewall - so SecureRemote will be able to find this address in userc.c.

I've tested this solution with NG FP3 Standalone under SecurePlatform. I don't know if it works with another version of VPN-1. Anyway, client side you must use UDP encapsulation to pass your router.

1. First of all - you need to configure the NAT at your router. If you can translate all TCP/UDP ports to the firewall - it's great. If not - you'll need 500/tcp (IKE-tcp), 500/udp (IKE), 264/tcp (FW-topo), 2746/udp (IPSEC-encapsulation). If you use SecureClient - 18231/tcp (Policy Server). Maybe there is something else - try to search in your router logs (I can forget...)

2. Create a VLAN interface at your DMZ NIC. You don't need any real connection to it. Put there the public IP address assigned to your router (it must be static!) Define the topology as 'This network' (it would be better to define 'External' but probably there is one bug in ARP proxy and it does not work).

3. Install policy.

4. Change the IP address of your firewall object - put the address you have at the VLAN interface (2).

5. Be sure that in 'Global Properties' -> 'Remote Access' -> 'VPN-Advanced' the 'Resolving mechanism' is 'Enable SecureRemote/SecureClient to calculate statically peer gateway's best interface based on network topology'.

6. Install policy.

7. Recreate the site at SecureRemote.

I hope it works for you. If it does not work - try to use 2-nd option in (5).

Anyway - try to get public IP address for your firewall, this workaround does not work for site-to-site VPNs.

[SuderMan]

Hello again !

Thanks for Your answer.

I didn't have time to look at Your reply until now.

I understand everything in your instruction except point 4.
Does it mean that I have to change the main ip address of the firewall object in SmartDashboard ?

[Peter]

Quote:

I understand everything in your instruction except point 4.
Does it mean that I have to change the main ip address of the firewall object in SmartDashboard ?

Yes, you have to change the main IP address of the firewall object in SmartDashboard. SecureRemote will use this address to communicate with the gateway.

[SuderMan]

Thanks but doesn't that cause any problems ... routing or other stuff ?

or is it just the way how firewall will present itself to the outside ?

[Peter]

It can produce the problems accessing the external network of your router. To minimize this stuff try to put the mask 255.255.255.255 or 255.255.255.252 for this address. I have no statistic, it works at one gateway, I did not try it any more.