On Thu, Mar 21, 2002 at 02:32:10PM -0600, Kerry Miller wrote:
: We have a client using a CheckPoint VPN, we're trying to use the VPN-1
: SecureClient. Does anybody know what ports/protocols I need to open for
: this to work through our firewall? I tried this:
I'm going to make a few assumptions..
1. You're using the Check Point SecuRemote/SecureClient NG version (this
version is still backward compatible with VPN-1 4.1)
2. You've enabled IKE over TCP in the client
3. You've enabled the "Force UDP Encapsulation" option in the client
The initial network topology download is a TCP connection from a random
local high port to tcp/256 on the remote gateway.
Once you've got the network topology information, the client will
automagically activate when you try to access a resource in the remote
gateway's "encryption domain".
Since you've enabled IKE over TCP, your initial authentication with the
remote gateway will be tcp/500 on the local client to tcp/500 on the
remote side. Once you've gone through IKE phase I and phase II, you won't
transmit any more IKE packets, until your SAs are due to renegotiate.
Once IKE/IPSec is up, your ESP traffic will be encapsulated inside UDP
packets that are of the format local client udp/2746 <--> gateway udp/2746.
In order to get this to work with ipchains, I believe you'll need to use
the ipsec_masq modules. If you convert to iptables, which I HIGHLY
recommend, you'll get this for "free", no additional configuration.
I'll email you a packet trace privately.
--
Jason Costomiris <>< | Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
