Hi
I am trying to set up checkpoint SecureRemote from Pc's with the following spec
compaq evo's
Win2k pro
512k adsl with intel usb dsl modem
dynamically assigned ip's
secureremote latest build
to a single box all-in-one checkpoint firewall 1/VPN 1 (no seperate management) running on a solaris sparc box with 2 network cards.
We have purchased and installed all of the aprropriate licenses (in fact we purchased secureclient 250 user which includes policy server, but we are tying to set up just secureRemote at first to see if we can get it working). The external interface of the firewall is connected to a 2mb business ADSL service with BT managed router. This is an overview of the IP addressing setup
(note addresses are for demo only)
Firewall side BT router 195.156.95.177
external firewall interface 195.156.95.178
internal firewall interface 172.19.8.58
Internal Network 172.19.8.0 /24
test unix box in encryption domain (defined in firewall rules) 172.19.8.100
all of the rules have been set up correctly (i think) but I wont ellaborate on these as my problem is at a networking level and the firewall rules are not affected at this stage.
This is my problem, I boot up my laptop (SecureRemote has started in the system tray) and start its 512k adsl connection to the internet, i am assigned address 81.244.244.244 on the laptop (for example). Once connected, I start a snoop on the external firewall interface "snoop -t a -d qfe0 81.244.244.244" to see what packets are being recieved from the laptop. I double click on the secureremote and add a site 195.156.95.178, on the snoop I see packets being recieved and sent back from the firewall on tcp port 264, this, as i understand it, is the FW1_topo rule i have set up to send the laptop the topology. Back at the laptop, the update date is input into a little box, and the c:\program files\checkpoint\secureremote\database\userc file contains the unix test box i defined in my encryption domain (172.19.8.100). Woo Hoo !, I scream, Its working. In the excitement, I promptly open up a command prompt and attempt to telnet to my test unix box on its private address 172.19.8.100.
I recieve an mesage box "failed to connect to site 195.156.95.178", on the command prompt, the telnet also fails, MMmmm, I go to my snoop, where I see that no packets have been recieved at all since the conversations on tcp port 264. Now, as i understand it, there was supposed to be an IKE key exchange on UDP port 500 for a VPN tunnel to be created, but nothing, my reaction, after much reading of posts like these was that the isp's were blocking/dropping packets on udp 500, because they were not even reaching the external interface for the firewall to deal with them. After much toil and threatening to change our provider, a very helpful techie from BT, helped me troubleshoot what was happening.All acls were checked and no restrictions were found, he made me connect my laptop to BTs home adsl service and he snooped/sniffed the first device that is hit by packets coming out of the laptop. He saw the topology packets, and they looked like this
81.244.244.244 > 195.156.95.178 S=random D=264
packets were also coming back as expected, i then tried to connect/telnet to my test unix box 172.19.8.100. again I recieved a failure to connect to site box, and to my surprise the techie at BT saw the following packet
81.244.244.244 > 172.19.8.58 S=500 D=500
Utterly confused, I set up etherreal to snoop what was coming out of the laptop and see this for myself, and there it was,, the techie wasnt lying to me. Why o Why is the destination address the private/internal address of my firewall, Its obviously not going anywhere when it hits the web, so it consequently times out and therfore I dont see anything on my snoop.
Does anybody know why the topology (tcp 264) has the correct destination address and the IKE destination address is all screwed up
Any help on this would be greatly appreciated
yours
gary
hcclnoodles@yahoo.co.uk
I am trying to set up checkpoint SecureRemote from Pc's with the following spec
compaq evo's
Win2k pro
512k adsl with intel usb dsl modem
dynamically assigned ip's
secureremote latest build
to a single box all-in-one checkpoint firewall 1/VPN 1 (no seperate management) running on a solaris sparc box with 2 network cards.
We have purchased and installed all of the aprropriate licenses (in fact we purchased secureclient 250 user which includes policy server, but we are tying to set up just secureRemote at first to see if we can get it working). The external interface of the firewall is connected to a 2mb business ADSL service with BT managed router. This is an overview of the IP addressing setup
(note addresses are for demo only)
Firewall side BT router 195.156.95.177
external firewall interface 195.156.95.178
internal firewall interface 172.19.8.58
Internal Network 172.19.8.0 /24
test unix box in encryption domain (defined in firewall rules) 172.19.8.100
all of the rules have been set up correctly (i think) but I wont ellaborate on these as my problem is at a networking level and the firewall rules are not affected at this stage.
This is my problem, I boot up my laptop (SecureRemote has started in the system tray) and start its 512k adsl connection to the internet, i am assigned address 81.244.244.244 on the laptop (for example). Once connected, I start a snoop on the external firewall interface "snoop -t a -d qfe0 81.244.244.244" to see what packets are being recieved from the laptop. I double click on the secureremote and add a site 195.156.95.178, on the snoop I see packets being recieved and sent back from the firewall on tcp port 264, this, as i understand it, is the FW1_topo rule i have set up to send the laptop the topology. Back at the laptop, the update date is input into a little box, and the c:\program files\checkpoint\secureremote\database\userc file contains the unix test box i defined in my encryption domain (172.19.8.100). Woo Hoo !, I scream, Its working. In the excitement, I promptly open up a command prompt and attempt to telnet to my test unix box on its private address 172.19.8.100.
I recieve an mesage box "failed to connect to site 195.156.95.178", on the command prompt, the telnet also fails, MMmmm, I go to my snoop, where I see that no packets have been recieved at all since the conversations on tcp port 264. Now, as i understand it, there was supposed to be an IKE key exchange on UDP port 500 for a VPN tunnel to be created, but nothing, my reaction, after much reading of posts like these was that the isp's were blocking/dropping packets on udp 500, because they were not even reaching the external interface for the firewall to deal with them. After much toil and threatening to change our provider, a very helpful techie from BT, helped me troubleshoot what was happening.All acls were checked and no restrictions were found, he made me connect my laptop to BTs home adsl service and he snooped/sniffed the first device that is hit by packets coming out of the laptop. He saw the topology packets, and they looked like this
81.244.244.244 > 195.156.95.178 S=random D=264
packets were also coming back as expected, i then tried to connect/telnet to my test unix box 172.19.8.100. again I recieved a failure to connect to site box, and to my surprise the techie at BT saw the following packet
81.244.244.244 > 172.19.8.58 S=500 D=500
Utterly confused, I set up etherreal to snoop what was coming out of the laptop and see this for myself, and there it was,, the techie wasnt lying to me. Why o Why is the destination address the private/internal address of my firewall, Its obviously not going anywhere when it hits the web, so it consequently times out and therfore I dont see anything on my snoop.
Does anybody know why the topology (tcp 264) has the correct destination address and the IKE destination address is all screwed up
Any help on this would be greatly appreciated
yours
gary
hcclnoodles@yahoo.co.uk