VPN not working

[Jahk Nah Rai]

Hi what's the best way to set up VPN tunnels to remote sites (that do not have Checkpoint at all) without having to manually static NAT every single address from my network?

For instance, I have a remote site running a Nortel Contivity VPN device. The only way right now for a machine from here to access that and succeed is if I statically NAT it to a public address. The remote site does not belong to me and so I have no control over it. All the remote site can do is simply allow my block of IPs to access the Contivity device.

I am running Checkpoint NG FP3

Thanks for any help.

[Lackie]

To set up a VPN tunnel, you will have to have the admin of the Nortel set up the same on that end. You can't just set one up from your site without any intervention on the other side.

[Jahk Nah Rai]

Right I do understand that, however, it seems that even though the admin at the other end can set up rules on his Nortel device I still have to resort to statically NATing every internal address here in order for the VPN communication to work. I've tried otherwise without NAT or hide NAT and it doesn't work. I believe it's due to the fact that NATing alters the address information necessary for VPN to work.

I do realize there is a VPN community feature in Checkpoint NG but it only works with Checkpoint devices, not others.

I don't have all the public IPs in the world to statically NAT every internal device to so I'm wondering if there's a better way to simply pass all VPN traffic through my Checkpoint firewall without any NAT applied to it.

[simon hornby]

What are you doing to try to get VPN to work, not including the static NAT? We'd need to know what you have done so far to work out what else you need to do.

I can assure you checkpoint will definitely do VPN to none-checkpoint sites without the need to static NAT every device, but it's entirely possible the other end isn't set up properly even if your end is.

[Jahk Nah Rai]

Right now, I have to manually assign static public IPs to internal hosts in order for outbound IKE/IPSEC connections to work. If I simply hide it behind the external interface of the firewall, the connection will not work. I have connections going out to Nortel Contivity devices as well as Microsoft Windows 2000 RAS/VPN setups.

It is possible the other end isn't set up properly. I think for the most part the other end sites simply add my IP block to their access list.

[czech12]

Like Lackie and Simon said, you shouldn't need to NAT anything going through a Site to Site VPN (unless you are using the same private subnets on both sides). The IKE/IPSEC traffic is initiated from your Firewall to their Nortel device and vice versa, not from your internal hosts. Once the firewalls exchange keys and the tunnel is created, the packets with the private address range IP's are encapsulated by the firewall and routed across the internet using the firewall's public IP address.

I would recommend looking in SmartView tracker to make sure you aren't getting any encryption error. It sounds to me (and I think Lackie and Simon) like you are just allowing the traffic from your internal host to the Nortel side unencrypted, because you are using Static NAT...

Hope this helps... Let us know...

[czech12]

After reading back, you never stated if this was a site to site VPN or a client to site VPN.

Are you using a Nortel client to connect to his Nortel VPN server?

[Jahk Nah Rai]

czech:

Yes it's CLIENT to SITE VPN...I'm sorry I should have stated that before.
Yes in most cases internal clients use a Nortel Contivity software client to connect to the other network's Contivity server.
I also have a case of a user using Microsoft's VPN client to connect to a Microsoft Windows 2000 VPN box at another location.

Ideally, I would like for anyone to take advantage of this VPN instead of just a few workstations. Thus the thought of a site to site VPN would be great as well.

Please keep in mind that in both cases, the outside networks do no utilize Checkpoint FW1. If they did, I'm sure things would be easier because I can set up communities, encryption domains, etc.

[czech12]

There are issues with using Hide NAT while connecting to a Nortel Contivity Switch and all IPSEC VPN devices. If there code is somewhat current, tell them to turn on IP NAT Traversal. This will correct problems with Hide NAT.

The problem is not with Check Point, it is with the Nortel and the nature of IPSEC VPNs.

[davetrappednikki]

I am having the same problem. I can get one VPN Client to connect going through (a static NAT) to the Nortel concentrator, but if I try to have another user (also statically NATed) they cannot connect.

Any Suggestions?

Thanks

[chillyjim]

I was told in September that Nortel FINALY fixed NAT-T on their vpn client.

I would try getting the Nortel upgraded to the current version if you can, if not static one-to-one nat is your only option.

-jlh