I'm still confused...
Packet comes from remote private IP (10.1.1.13 - lucky number ;-)
encrypted, then sent, then remote router NATS to say, 222.1.1.13 & sends
along to firewall. Firewall sets up the tunnel to use internal
address 101.1.1.13 on our LAN, decrypts the packet, keeps the
association between the source IP (10.1.1.13) and the internal IP
(111.1.1.13) and the packet is resent out on the LAN as though it came
from 111.1.1.13 on the firewall internal interface. In the last step,
the packet with target IP address 111.1.1.13 gets handed to the OS for
routing, but the OS doesn't know anything about the association with
222.1.1.13 and 10.1.1.13.
Return trip, packet addressed to 111.1.1.13, received on the firewall
internal interface, and the Checkpoint s/w "gets" the packet for target
111.1.1.13, changes the target IP to 10.1.1.13 & encrypts it, then sends
it to the remote router 222.1.1.13, keeping track of source port, etc.--
the Checkpoint s/w puts the encrypted packet (payload) inside a packet
with target IP 222.1.1.13 & hands it to the OS for routing. I would
expect that it's the Checkpoint s/w doing this, since how would the OS
associate those three different IPs?
But, since the Checkpoint "knows" the association between the internal
IP Pool address assigned (111.1.1.13) and the NAT-ed remote address
(222.1.1.13) and the private internal IP (10.1.1.13), can't it keep
track if another 10.1.1.13 arrives NAT'ed to 50.50.50.50 (or something)?
The new incoming packet has a different public IP, so it gets a
different IP Pool address, maybe 111.1.1.14.
What am I missing here, please?
--
David Strom
Charalambos Klitiropoulos wrote:
It is a matter of where NAT happens, before or after routing. As you
probably know, it is the OS that does the routing in a Check Point firewall.
The FW-1 module sits between the NIC driver and the OS kernel (between ISO
levels 2 and 3). In the case of IP Pool NAT, address translation happens on
the server side. In case of a SecuRemote tunnel, the path of the encrypted
packets is as follows:
1. they arrive at the external interface
2. they are extracted from the ESP packets (packets from users A and B
are destined for server C)
3. they are forwarded to the kernel, where they are routed to the
proper internal interface, according to their destination IP address (C)
4. their source addresses are translated to the IP addresses that
were assigned to each user when the SecuRemote session was established (IP
address A is translated to X and IP address B is translated to Y)
5. they are transmitted from the internal interface
The reply packets follow the exact reverse path:
1. they arrive at the internal interface (packets from server C to
addresses X and Y)
2. the destination addresses are translated back to the original
addresses (address X is translated back to address A and address Y is
translated back to address B) - (address translation of the subsequent
packets of any connection happens on the "place" where the first packet of
that connection was translated)
3. they are forwarded to the kernel, where they are routed to the
external interface, according to their destination IP addresses
4. they are encrypted and put in ESP packets
5. the ESP packets is transmitted from the external interface
If you have two SecuRemote users with the same IP address (A and A) on their
machines, their packets will correctly enter the internal network and reach
the internal server. Each user's packets will be translated to a separate IP
address taken from the NAT pool (X and Y). The replies to those packets will
be translated to their originals in step 2 (A and A). The problem will
appear in the fourth step, where VPN-1 will need to decide to which user
each packet belongs. The problem is that the packets from both users will
have the same destination IP address. Although there could be a mechanism to
decide which packet goes where (similar to the NAT mechanism that takes into
account other packet properties such as port numbers etc), I do not know how
easy or not it is to code such a feature. Other than that, VPN security
associations are configured for IP addresses and not users.
OfficeMode is a way of making sure that users A and B will be assigned an IP
address from the firewall, making sure that they will not be the same. Hence
there is no need for an IP pool. Sometime ago I was told from a Check Point
presales engineer that OfficeMode would be available sometime in the future.
However I do not know if and when they will actually offer this. I guess
when the competition forces them to add a "new" feature to their free VPN
client.
On 6/8/05, David Strom <[EMAIL PROTECTED]> wrote:
Did Checkpoint say *why* they did this "by design"? If it was a
mistake, then a big one, if not, then they're punishing those of us
using SecuRemote. And, Office Mode/Secure Client doesn't seem to
permit exactly the same type of configuration (range of IPs within the
local, vpn-ed to subnet).
Maybe they messed up, & decided it was a good thing to force SR users to
pay for SC, so they decided it's a "design feature".
--
David Strom
O'Flynn, Derek wrote:
Just a note on this, if you use IP Pool NAT this does nothing to help
endpoints that have the same source ip. For instance, two users behind
routers at their house with 192.168.1.1 <http://192.168.1.1> as their IP
address. If they both
connect at the same time, you will notice connectivity issues. I just
recently worked with CheckPoint Support on this and they confirmed the
issue
with me and verified it is by design, and to resolve it I'll need to
upgrade
to SecureClient or have one of the end users change their router subnet.
Derek O'Flynn
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Neil
Kemp
Sent: Sunday, June 05, 2005 2:46 AM
To: [email protected]
Subject: Re: [FW-1] VPN ip pool
You can use IP Pools where you create an address range (has to be
outside of
your Internal Network) and assign it.
Works OK, done this a couple of times.
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Cem
Akbas
Sent: Saturday, June 04, 2005 8:31 AM
To: [email protected]
Subject: [FW-1] VPN ip pool
Using VPN-1 - Securemote, how can i assign IP address to clients. Or
is it possible only for SecureClient.
Thanks
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
############################################################################
#########
This e-mail message has been scanned for Viruses and Content and cleared
by 3DMail
############################################################################
#########
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
