[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CheckPoint SecureRemote Client through pf



Does SecureClient work for everyone else, or is this a new deployment
that you're working on?  Are you positive that the private address range
you're using at home isn't used anywhere else on the corporate network?
If the CheckPoint firewall has a route for the private IP address you're
using which points to the inside (e.g., because the subnet on which the
IP resides is used internally), you can run into these types of
problems.  
Do the CheckPoint firewall logs show any packets from you arriving at
the firewall after the initial authentication?  The way you troubleshoot
these types of things is to sniff from as many places as possible.  In
your case you at the very least need to sniff from various interfaces on
your firewall as well as the CheckPoint firewall.  (You can use
CheckPoint's log GUI but TCPDUMP is preferable since CheckPoint's GUI
doesn't show every packet.)  This will allow you to narrow down the
issue by being able to determine things like "this packet left my
firewall but never made it to the CheckPoint firewall" or "this packet
made it to the CheckPoint firewall but the CheckPoint firewall's
response packet never made it back to me", etc.   
I think the likelihood is that this isn't a PF issue (though anything's
possible), so we're probably in OT territory at this point.  Feel free
to respond to me directly.
-----Original Message-----
From: owner-pf@benzedrine.cx [mailto:owner-pf@benzedrine.cx] On Behalf
Of siivv
Sent: Monday, March 03, 2003 2:25 PM
To: Terry Baranski
Cc: pf@benzedrine.cx
Subject: RE: CheckPoint SecureRemote Client through pf
What kind of setup am I looking for?
I am using the VPN-1 SecureClient 4.1 SP5 build 4200
The initial connection and proper update of the client with the VPN
server works just fine. Then, it states that it is performing the key
exchange when trying to connect to a computer on the vpn, but always
seems to fail
tcpdump shows only the first packet going out, but then it would seem
nothing is being returned
it's strange to me, i do not know what type(s) of packets compose vpn
traffic, so i am unsure of what to look for when sniffin
any help is appreciated
thanks,
scott
On Sat, 1 Mar 2003, Terry Baranski wrote:
> Works fine here as well.  There are issues when the NAT'd network 
> behind the user's firewall overlaps with the destination encryption 
> domain, but that's about it AFAIK.
>
> -----Original Message-----
> From: owner-pf@benzedrine.cx [mailto:owner-pf@benzedrine.cx] On Behalf
> Of Camiel Dobbelaar
> Sent: Saturday, March 01, 2003 4:13 AM
> To: siivv
> Cc: pf@benzedrine.cx
> Subject: Re: CheckPoint SecureRemote Client through pf
>
>
>
> I have secureclient working fine here through a pf firewall, with NAT.
>
> No special tricks really...  if I tcpdump I first see isakmp traffic 
> (500/udp), then encapsulated traffic using 2746/udp.
>
> Let me know if you need more info.
>
> --
> Cam
>
> On Fri, 28 Feb 2003, siivv wrote:
>
> >
> > Is a connection with the checkpoint secureremote client possible 
> > through a obsd 3.2 nat'd pf firewall?  I am refering to an outbound 
> > connection from my home network, through the pf fwall, and to the 
> > checkpoint fwall
> >
> > I have read that it is not possible with NAT, but figured I would 
> > run it by those who may have used it.
> >
> > Also, if this is possible, can someone point me in the direction of 
> > documentation or explain how exactly it can be done
>
>