Connecting to an external VPN from behind FW-1

[Haleon]

Hello everyone,

One of the users in my office needs to connect to a PPTP VPN outside of our office. He is trying to access this VPN from behind our checkpoint firewall. Initially there was no connection between the sites, but then I created a rule allowing outbound and inbound PPTP connections from any to our network and from our network to any.

After I opened that up, the connection starts to go through, but then hangs up when it's trying to verify the username and password. After checking the logs, I can see that our outbound request is being allowed through, but I never see any sort of inbound connection. It's like it's being blocked, but I don't see any dropped packets from the VPN's IP address.

Any help would be greatly appreciated. I've tried just about everything I can think of, and I still can't get the connection to go through. Thanks!

Jon

 

[ChrisAC]

You may also need to allow IP protocol 47 (GRE) for PPTP to work.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[Haleon]

Hey Chris,

Thanks for the reply. When you go to add ports/protocols there is a PPTP entry and a PPTP-tcp entry. If you add the PPTP entry, Checkpoint automatically opens up PPTP-tcp and GRE. I guess you could say it's like a group. But on that note, I also tried opening up PPTP-tcp and GRE individually with the same results.

 

[ChrisAC]

Is your user that is opening the PPTP session hiding behind the firewall IP address or do they have a static NAT. Looking at an example of a firewall that I look after where the client opens up PPTP to a remote office, I had to add inbound GRE to the client to allow the sessions to be established. Of course, if this isn't allowed then you should see inbound IP47 packets being dropped at the firewall. If not then it maybe that the firewall on the other end is misconfigured.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[dfedders]

I believe Checkpoint has a soltion for this in their knowledgebase. I had the same problem about 6 months ago. It worked fine with 4.1, but when we upgraded to NG it stopped working.

I believe the solution was that you had to setup static nat and a static IP address for the computer that you want to allow to use the PPTP VPN.

 

[Haleon]

Thanks for the replies, guys. I appreciate it.

iproute,

Currently, the computer intiating the PPTP request is not defined with a static NAT. I did try it with a static NAT though on the suggestion of another Checkpoint admin. It still didn't work with the static route. I also have GRE and PPTP-tcp allowed both where the traffic originates from within our network and outside of our network.

dfedders,

Thanks for the response. As I said in the above response, I have tried it with a static NAT, but I have not assigned a static IP to the computer initiating the PPTP request. I'll try that today and see if it works. I hope it does. Though that's pretty crappy of Checkpoint to require a static IP to allow tunneled traffic through their firewall. Thanks for the help!

 

[Haleon]

Woohoo! That fixed it. Thank you so much dfedders!

 

[Haleon]

Argh, spoke too soon. It worked one time, allowed me to fully connect and everything. When I switched the static routes to the client's address it started failing again. Damn.

 

[Haleon]

Actually, I spoke too soon again. The fix worked; I just have a nasty habit of creating rules that invalidate eachother because I'm a total moron. Thanks again for your help dfedders.

 

[dfedders]

No problem. I don't know why it doesn't work properly. It used to work fine with version 4.1, but with NG you have to do all that extra crap to get it to work.