NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] SecureRemote - NATTing issue??



Dear group,

So far, I have only been reading about the interactions in this mail group and have not had any request for info. or made comments, as I have been out of the mainstream after getting canned during the silicon valley crunch. Here in Europe, getting some bites, however. I have a potential client who is having a problem with a VPN.

I would like to research his SecureRemote problem and report back to him by Monday. Before I get really involved w- research and making deductions, I thought I would ask the group if you have experienced the same problems.

I asked some questions about their setup and here were the answers:

>1. from end to end setup

It's a Host<->Gateway VPN, from my boss' home SecuRemote to our Internet firewall. Since my boss is behind a NAT-ing ADSL gateway/firewall, it uses udp encapsulation.

>2. Encryptions - setup instructions if you know them

I'm not quite sure what you mean by this question...

>3. Multiple entry points? Others having same problem?

No MEP. Someone else at our company might have the same problems,

although I have not sniffed his connection yet.

>4. VPN cards?

Nope.

>5. Hardware configurations. Any other problems exist other than VPN?

Company firewall: noname PC: 1GHz Celeron, 128M memory, 2 double Intel

and a single (unused) D-Link network cards

SecuRemote host: no idea

>6. OS platforms

Company firewall: Red Hat Linux 7.3

SecuRemote host: Windows XP

>7. Fw platforms - versions, management consoles, inspection modules

NGFP3 with current hotfixes

The SecuRemote is the most current FP3 version (but same problem with the FP4 version)

>What type of problems:

>1. Connectivity, communication slow, etc. Does it ever correct itself?

VPN connection sometimes dies (non-VPN ones still work). After a few minutes (5-10 or more) it is usually OK again.

>2. What type of error messages

None at all (apart from the can't connect, unreachable, etc. stuff from the applications).

>3. Frequency of problems

Varies, but many times a day.

>4. What you have done to correct the problem in past

Rebooting always helps. So does deleting and recreating the site

definition in SecuRemote. Or just waiting. All these solutions are temporary however.

>5. What you think is causing the problem

Stupid Check Point, perhaps? ;)

What is actually going on is pretty clear, however. If I tcpdump on the ADSL fw/router in front of the SecuRemote machine, it is quite revealing. While SR is working correctly, it is sending the udp encapsulated IPsec packets to the correct interface of the FW. When it starts misbehaving, it starts trying to send the same packets to the IP address of the internal interface of the firewall (which is, of course, a private IP address: 192.168.47.254). I have not yet seen any reason

why it starts sending to the wrong IP suddenly.

>6. Who has helped you in the past and what have they said and done

I searched the Check Point KB for a while, and I did find relevant resolutions (mostly doing with resolve_interface_ranges and sometimes

contradicting each other), but they did not seem to help. But I will try it again if you think that is the right solution.




Christopher J. Dias - CCSA, CCSE (Checkpoint), MCP + I,MCSE, (Microsoft),  CCNA, CCNP (Cisco). CSE (Novell)
Cím:1121 Budapest
Fülemile út 12-18 4.ép.3/11.
Telefon: 36 1 275-4008 Mobil:06-20/803 9687
[email protected]


---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.