RE: CheckPoint SecureRemote Client through pf
problem resolved, thank you everyone for your help.. especially jolan for his openbsd vpn how-to http://www.cryptonomicon.org/notes/vpn_nat.html oddly enough, my first problem was on the vpn server, whoever setup my account was a poor typer and screwed something up... stupid simple mistakes that i cannot control... (a waste of 3 days of my time for a stupid mistake on their part, shoulda hit up the firewall team at the get-go) also, i found that i had to open up port 2746 - checkpoint udp encap port to allow connections (in addition to the rules found in jolan's how-to) thanks again to all piez, scott On Tue, 4 Mar 2003, siivv wrote: I am trying to work with a few others to figure out the solution to this problem, though their time is hard to come by... since I do not have access to the vpn firewall, I cannot check it's logs, and can only deal with what is on my end I thank you all for your time and help, hopefully this is something simple that I am forgetting to configure, but we shall see... scott
RE: CheckPoint SecureRemote Client through pf
What kind of setup am I looking for? I am using the VPN-1 SecureClient 4.1 SP5 build 4200 The initial connection and proper update of the client with the VPN server works just fine. Then, it states that it is performing the key exchange when trying to connect to a computer on the vpn, but always seems to fail tcpdump shows only the first packet going out, but then it would seem nothing is being returned it's strange to me, i do not know what type(s) of packets compose vpn traffic, so i am unsure of what to look for when sniffin any help is appreciated thanks, scott On Sat, 1 Mar 2003, Terry Baranski wrote: Works fine here as well. There are issues when the NAT'd network behind the user's firewall overlaps with the destination encryption domain, but that's about it AFAIK. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Camiel Dobbelaar Sent: Saturday, March 01, 2003 4:13 AM To: siivv Cc: [EMAIL PROTECTED] Subject: Re: CheckPoint SecureRemote Client through pf I have secureclient working fine here through a pf firewall, with NAT. No special tricks really... if I tcpdump I first see isakmp traffic (500/udp), then encapsulated traffic using 2746/udp. Let me know if you need more info. -- Cam On Fri, 28 Feb 2003, siivv wrote: Is a connection with the checkpoint secureremote client possible through a obsd 3.2 nat'd pf firewall? I am refering to an outbound connection from my home network, through the pf fwall, and to the checkpoint fwall I have read that it is not possible with NAT, but figured I would run it by those who may have used it. Also, if this is possible, can someone point me in the direction of documentation or explain how exactly it can be done
Re: CheckPoint SecureRemote Client through pf
On Mon, Mar 03, 2003 at 07:25:11PM +, siivv wrote: Then, it states that it is performing the key exchange when trying to connect to a computer on the vpn, but always seems to fail tcpdump shows only the first packet going out, but then it would seem nothing is being returned Try a rule like this: # NAT PROXYING # map outgoing packets' source port to an assigned proxy port # instead of # an arbitrary port # in this case, proxy outgoing isakmp with port 500 on the gateway nat on kue0 inet proto udp from any port = isakmp to any - (kue0) \ port 500 - jolan
RE: CheckPoint SecureRemote Client through pf
Does SecureClient work for everyone else, or is this a new deployment that you're working on? Are you positive that the private address range you're using at home isn't used anywhere else on the corporate network? If the CheckPoint firewall has a route for the private IP address you're using which points to the inside (e.g., because the subnet on which the IP resides is used internally), you can run into these types of problems. Do the CheckPoint firewall logs show any packets from you arriving at the firewall after the initial authentication? The way you troubleshoot these types of things is to sniff from as many places as possible. In your case you at the very least need to sniff from various interfaces on your firewall as well as the CheckPoint firewall. (You can use CheckPoint's log GUI but TCPDUMP is preferable since CheckPoint's GUI doesn't show every packet.) This will allow you to narrow down the issue by being able to determine things like this packet left my firewall but never made it to the CheckPoint firewall or this packet made it to the CheckPoint firewall but the CheckPoint firewall's response packet never made it back to me, etc. I think the likelihood is that this isn't a PF issue (though anything's possible), so we're probably in OT territory at this point. Feel free to respond to me directly. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of siivv Sent: Monday, March 03, 2003 2:25 PM To: Terry Baranski Cc: [EMAIL PROTECTED] Subject: RE: CheckPoint SecureRemote Client through pf What kind of setup am I looking for? I am using the VPN-1 SecureClient 4.1 SP5 build 4200 The initial connection and proper update of the client with the VPN server works just fine. Then, it states that it is performing the key exchange when trying to connect to a computer on the vpn, but always seems to fail tcpdump shows only the first packet going out, but then it would seem nothing is being returned it's strange to me, i do not know what type(s) of packets compose vpn traffic, so i am unsure of what to look for when sniffin any help is appreciated thanks, scott On Sat, 1 Mar 2003, Terry Baranski wrote: Works fine here as well. There are issues when the NAT'd network behind the user's firewall overlaps with the destination encryption domain, but that's about it AFAIK. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Camiel Dobbelaar Sent: Saturday, March 01, 2003 4:13 AM To: siivv Cc: [EMAIL PROTECTED] Subject: Re: CheckPoint SecureRemote Client through pf I have secureclient working fine here through a pf firewall, with NAT. No special tricks really... if I tcpdump I first see isakmp traffic (500/udp), then encapsulated traffic using 2746/udp. Let me know if you need more info. -- Cam On Fri, 28 Feb 2003, siivv wrote: Is a connection with the checkpoint secureremote client possible through a obsd 3.2 nat'd pf firewall? I am refering to an outbound connection from my home network, through the pf fwall, and to the checkpoint fwall I have read that it is not possible with NAT, but figured I would run it by those who may have used it. Also, if this is possible, can someone point me in the direction of documentation or explain how exactly it can be done
Re: CheckPoint SecureRemote Client through pf
I have secureclient working fine here through a pf firewall, with NAT. No special tricks really... if I tcpdump I first see isakmp traffic (500/udp), then encapsulated traffic using 2746/udp. Let me know if you need more info. -- Cam On Fri, 28 Feb 2003, siivv wrote: Is a connection with the checkpoint secureremote client possible through a obsd 3.2 nat'd pf firewall? I am refering to an outbound connection from my home network, through the pf fwall, and to the checkpoint fwall I have read that it is not possible with NAT, but figured I would run it by those who may have used it. Also, if this is possible, can someone point me in the direction of documentation or explain how exactly it can be done
RE: CheckPoint SecureRemote Client through pf
Works fine here as well. There are issues when the NAT'd network behind the user's firewall overlaps with the destination encryption domain, but that's about it AFAIK. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Camiel Dobbelaar Sent: Saturday, March 01, 2003 4:13 AM To: siivv Cc: [EMAIL PROTECTED] Subject: Re: CheckPoint SecureRemote Client through pf I have secureclient working fine here through a pf firewall, with NAT. No special tricks really... if I tcpdump I first see isakmp traffic (500/udp), then encapsulated traffic using 2746/udp. Let me know if you need more info. -- Cam On Fri, 28 Feb 2003, siivv wrote: Is a connection with the checkpoint secureremote client possible through a obsd 3.2 nat'd pf firewall? I am refering to an outbound connection from my home network, through the pf fwall, and to the checkpoint fwall I have read that it is not possible with NAT, but figured I would run it by those who may have used it. Also, if this is possible, can someone point me in the direction of documentation or explain how exactly it can be done
Re: CheckPoint SecureRemote Client through pf
On Fri, Feb 28, 2003 at 06:29:19PM +, siivv wrote: Is a connection with the checkpoint secureremote client possible through a obsd 3.2 nat'd pf firewall? I am refering to an outbound connection from my home network, through the pf fwall, and to the checkpoint fwall How about more information? Are you using isakmp to authenticate? Are you using ESP..? What appears to be the problem, identified via tcpdump? - jolan