Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SecuRemote VPN through Third Party Firewall - How?

Status
Not open for further replies.
StoneColdDave

StoneColdDave

Technical User
Oct 3, 2002
16
GB
I have just installed SecuRemote Remote (4.1) onto a workstation on a remote LAN. The intention is to VPN across the Internet from the Workstation to another LAN running Firewall & VPN-1 (4.1).

The LAN has an Internet Gateway (Satellite ADSL). The ADSL equipment seems come with it's own ISP managed Firewall.

From the Workstation Desktop I can authenticate IKE keys with the destination LAN Firewall, but I can't ping the destination LAN.

I was wondering if additional Ports need opening up on third party firewall or if changes are required to the network settings on workstation.

Any suggestions?


Note - I can ping the destination LAN through SR when using a dialup connection on the WS. The Workstation Gateway is set to third party Firewall address.

 
Sort by date Sort by votes
Scenario (assumption):
>Your Client is connected to an ADSL gateway.
>You use the public IP address of the gateway outside interface for traffic from the client over the internet (NAT).
> You use data integrity check for your vpn connection?

In that case the tunnel will be established but the packets transmitted from your client to the VPN gateway on the other side, will be translated (modified) on your ADSL gateway (NAT procedure - changing source IP). When the Check Point VPN gateway checks the hash value, it will detect a difference. With other words the packet will be interpreted as corrupt an will be droped.

Is this scenario right?
 
Upvote 0 Downvote
I would agree with SteffenR. It sounds like the ADSL gateway is using NAT and therefore you will not be able to connect. You will need to turn off NAT and have public IP addresses setup on your client.
 
Upvote 0 Downvote
If your router is using NAT as suggested you must use a box capable of IPSEC-UDP basically NAT breaks IPSEC packets when it changes the destination IP from your internet address to your PC. This corrupts the packet so the checksum is wrong.

IPSEC over UDP takes the whole IPSEC packet, headers and all, then puts it in a UDP packet with new headers. This can pass through NAT devices unscathed. Believe me it isn't easy to set up and hard to test but it can be done. I can guarantee that the Allied Telesyn range VPN solutions work because I use them. I think Cisco support IPSEC-UDP but I haven't checked on linksys.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
299
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
128
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
367
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
88
WhosYourDiffie
WhosYourDiffie
ChrisFairley
  • Locked
  • Question
Downloads failing through ASA 5520
Replies
1
Views
84
iggsterman
iggsterman

Part and Inventory Search

Sponsor

Back
Top