Router setup for SecureClient via a Speedtouch ADSL Rt

[JohnMLie]

Hy experts,

Does anyone have experience with Checkpoint Secure Client setup with a Speedtouch 510i ADSL Router?
I've tried to get it working but keep receiving the error:
Gateway not responding. Connection failed.

I'm able to Update site information.
The Diagnostic windows shows the problem starts when an attempt is made to receive an ip address by the VPN-1 Gateway.

 

[Rob2004]

Hi John,

I'm having the exact same problem with 2 of my users.
One user having the Speedtouch 510i router, the other using the 510 with 4 hubports.

I'm waiting for a response from the Speedtouch helpdesk regarding this case.

My guess is that the Speedtouch doesn't allow (or can't handle) the responce traffic from the Central VPN/Firewall to go over to your local client. But since I can't find a log in the ST-modem I can't verify that.

Maby one solution could be to bridge the modem and let the Computer get the official IP that the ST-modem otherwise would get.

//Rob

 

[freeelectron60]

Hi,

there are two possibility for this problem,

The first you must to activate the encapsulation UDP if this router NAT the packet !!

The second you can activate the support IKE TCP.

Bye

Mike

 

[dfw7400]

Hi All,

I've got the same problem... UDP encapsulation & IKE over TCP are ON...

Anyone has found a solution???

Thx

 

[Rob2004]

Guys,

I've talked to SpeedTouch helpdesk and got som more info.

The ST 510 doesn't support IPSec and VPN-connections by default. If you need this 'feature' you should go with the ST 610. Not that good info for us with ST 510 though.

But there are some workarounds.
1. Configure the NAT translation on the ST.
F ex all access to port 500 from Internet to the ST should be redirected to a specific IP on your internal LAN-IP on port 500.
Telnet to the ST and type the following:
"create protocol=udp inside_addr=10.0.0.1 inside_port=500 outside_addr=0 outside_port=500 and press ENTER"
You need to put up more than this port to make it work so I wouldn't go for this solution.

2. Configure a defaultserver.
Telnet to the ST and type the ip for the default inside workstation using the followig command:
defserver addr=10.1.2.3 (Or watever IP you use)

This option will redirect all outside access towards the IP you put up as a default server. Should work but will make it more difficult to use dynamic IP's on the inside.

3. Set the ST as a bridge.
When using the ST as a bridge and not a router it will not interfer with our IPSec/VPN-traffic.
The ISP provided IP-adress will be assigned to your PC or whatever device you will put on your inside, and not to the ST.

If I can convince my ISP to use this solution I will put up my own router/Firewall to get the official IP and handle the NAT. This is how I have configured it on other clients.

Hope this helps you!
Reg
//Rob

 

[MichielS]

Hi guys,

I have had the same problem and this is what worked for me:

What you need to do is remove the "bind" to IKE port 500.
With the bind enabled your ADSL Router will only accept traffic back on port 500. But your server will reply on a random port so no more binding for IKE.

Start a command prompt and type the stuff below. (never type the numbers "1:" etc.)
1: telnet 10.0.0.138
[or what ever the IP address of your ADSL router is]
[next you will get asked for a username and password if have secures your router else just press enter]
2: nat
3: unbind application=IKE port=500
4: saveall
5: exit

After step 5 you should be able to get your VPN up.

Good luck.