Re: [FW-1] Microsoft PPTP across address translation router

[Symon Thurlow <sthurlow@FW1-NOSPAMWEBVEIN.COM>]

UDP encapsulation is required with the Checkpoint Secureclient/remote to
get a VPN working over NAT. Don't know if it is a feature of Windows
2000.

I think Julian is referring to RFC1918 which stipulates the private
address ranges of 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/24.

Symon

-----Original Message-----
From: Simon Spurrell, T-GR [mailto:simon.spurrell@TECAN.COM]
Sent: 01 October 2002 16:06
To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Subject: Re: [FW-1] Microsoft PPTP across address translation router


Hi Julian,

Thanks for the response.

I do not have control over the NATing router. It belongs to the ADSL
company so I cannot make changes on it directly I think all ports are
open to go out on so port 2746 will be open.

RFC address's - what does this mean exactly. All clients have private
(non
routable) IP's and router only has one public routable IP (DHCP
assigned).

UDP encapsulation - where are the settings for this both on the Windows
2000 client and Windows 2000 server? If UDP encapsulation works this
would save me a lot of time.

So far I like the suggestion on the post to this list recommending the
Checkpoint Secure Remote client. But if there is something easier to
implement I would  be happy.

Thanks.
Simon



-----Original Message-----
From: Julian Burton [mailto:Julian.Burton@ZENITH-INSURANCE.CO.UK]
Sent: Tuesday, October 01, 2002 4:08 PM
To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Subject: Re: [FW-1] Microsoft PPTP across address translation router


Presumably you have RFC addresses inside the Remote Office, therefore
all internal hosts are NAT Hideing behind the same public address. UDP
encapsulation on the clients will get this working.  Be sure that the
NAT gateway in the remote office will pass this on port 2746. It should
not matter whether you get a static or dynamic IP address from your ISP.

Beware, if you have multiple remote locations that they all use
different RFC address ranges.  Otherwise you could end up with 2 clients
using the same address, which will result in neither of them working!

Julian



|---------+---------------------------------------------->
|         |           "Simon Spurrell, T-GR"             |
|         |           <simon.spurrell@TECAN.COM>         |
|         |           Sent by: Mailing list for          |
|         |           discussion of Firewall-1           |
|         |           <FW-1-MAILINGLIST@beethoven.us.chec|
|         |           kpoint.com>                        |
|         |                                              |
|         |                                              |
|         |           01/10/2002 09:26                   |
|         |           Please respond to Mailing list for |
|         |           discussion of Firewall-1           |
|         |                                              |
|---------+---------------------------------------------->

>-----------------------------------------------------------------------
>----
-------------------|
  |
|
  |       To:       FW-1-MAILINGLIST@beethoven.us.checkpoint.com
|
  |       cc:
|
  |       Subject:  [FW-1] Microsoft PPTP across address translation
router
|

>-----------------------------------------------------------------------
>----
-------------------|




I have the following situation:

A Remote Office with 1 to 4 users want to connect with laptop via PPTP
Remote Access VPN to a Microsoft PPTP VPN server.

Remote office have an Office Grade ADSL router with address translation.
One dynamically assigned IP Address for the ADSL router.

In the main office we have a checkpoint firewall with a DMZ. The
Microsoft VPN server has one network card in the DMZ and one network
card on the LAN. We use the IP Address of the DMZ network card for the
VPN tunnel configuration on the clients.

The problem is only one (sometimes two) clients from the remote office
are able to connect to the Microsoft VPN server. If more than this try
to connect, one clients VPN tunnel is dropped.

I think it is a problem with the ADSL address translation router.

Has anyone had this problem before? When I called the ADSL company they
said, "this is the case because the ADSL router only has one internet
routable IP Address".

The ADSL ISP are able to give me one fixed IP on request. They might be
able to replace the router. They are not able to give me a subnet of
real IP's.

Could anyone advise.

Thanks.
Simon

=================================================
To set vacation, Out Of Office, or away messages,
send an email to LISTSERV@lists.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================

________________________________________________________________________
This e-mail has been scanned for all viruses by Star Internet.







**********************************************************************
Zenith Insurance Management Limited    Registered No. 3805632
Registered @ Zenith House, Market Place, Haywards Heath,
West Sus, RH16 1DB.

NOTICE:
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
postmaster@zenith-insurance.co.uk and delete the message and any
attachments accompanying it immediately.

**********************************************************************


________________________________________________________________________
This e-mail has been scanned for all viruses by Star Internet.

=================================================
To set vacation, Out Of Office, or away messages,
send an email to LISTSERV@lists.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to LISTSERV@lists.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to LISTSERV@lists.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================