VPN client behind home Router not working

[vpnprob]

Hello, I am running Checkpoint VPN-1 Secure Client 4.1 SP3 3DES Build 4174 on my laptop. If I connect to my RCN cable modem directly, it works fine. When I try to connect from behind my home router (I've tried LinkSys and Belkin)it does not work. I don't get automatically prompted to sign on to the policy server. So, I click on "log on to policy server" and put my id and pw in. It comes back with "User authenticated". But I don't really have any access to my company's network. I can't get to any of my mapped network drives, can't access company email, can't get to the company intranet. I tried putting my laptop in the home router DMZ area, but that did not work. I tried forwarding port 500, that did not work. My cable company (RCN) registers the MAC address, and the home router can "mimic" it. The router is doing something to prevent the VPN, but I don't know what. I tried SPI on and off. I tried IPSEC passthrough on and off. I tried NAT enabled and disabled. My laptop is running NT. I have the tcpip protocal properties set as follows: 1.obtain IP from DHCP server 2. the DNS domain is set to xxx.com (where xxx is my company) 3. I have my company's primary and secondary WINS servers ip address' listed under the WINS tab property.

Any help would be greatly appreciated.

If I can't get this to work behind my home router, I have to call the cable company each time I need to switch from using my home pc and my laptop, due to them registering the MAC address. What a pain! Is there something other than a router that I could use...switch, bridge, hub? Can any of them "mimic" the MAC address of my home pc (like a router)but still allow me to connect with my laptop? I don't need to have both connected. I would only be on one or the other, but don't want to have to call the cable company each time.

Thanks!

 

[Guest_imported]

try upgrading your securemote client to build 4185 for win 9x (4199 will not work with win 9x). then go into tools encryption and force the encapsulation to udp (you will need to reboot in order for this to take effect). It should work as i have numerous remote users using linksys etc routers. If you are still having problems convince your firewall administrator to snoop the firewall ( i hope he/she is using solaris) and see if the traffic is getting to the wall at all. You may have to dig into your router itself and make sure it isn't blocking ipsec traffic (i believe there was one version of linksys code that was a problem)
good luck,

 

[Meugstreamz]

I ran into the very same problem and the eventual solution was nothing that I expected to be. The one thing that most administrators forget is the layered structure of the most wonderfull IP stack. The following key words should give you a big hint as to the solution... "Routing PREceeds encryption." The packets and the tunnel get setup correctly that is obvious by the authenticated message you recieve. However when the Firewall itself goes to re-encode this packet it is looking to its routing tables for the trusted address... This is the address that is encoded INSIDE of the encrypted payload (ex. 192.168.0.20 for your machine behind your linksys or home router) so the server looks to send that encrypted packet back to that IP address... but guess what thats your internal non routable network, and to make matters worse your comany might be using the same network in their LAN/WAN. So now where does that packet go?? This created a very frustrating situation for both the VPN-er and the networking guys at the company. In short something to try is this... set your home address behind your home router to an private address that is NOT being used by the company.. ex anything inside of the 10.x.x.x range (ex. 10.1.1.100) and request the networking guys of your company to install a route on the firwall (not in checkpoint but on the OS itself to point that network to the outside interface. (windows ex. route add 10.1.1.0 mask 255.255.255.0 "OUTSIDE NIC IP NET" ). This tells the firwall that trusted apckets coming from that subnet should be routed ack out through the outside interface. Hope that helps!! PS... Checkpoint SecuRemote versions really dont make a hill o beans of difference in this matter.... but I would suggest that you run the 4199 Client! Enjoy...

 

[djbizz]

This was truly the case in my situation. I had a similar IP as my company and it failed everytime. Now I am able to get in.

 

[mass2612]

I would agree with Meugstreamz. You will need to set this up on the firewall or use a public IP address to get this to work.

 

[rn4it]

I had a similiar problem with my SMC router, I would be able to connect, but would quickly be disconnected. I upgraded the firmware for the SMC router and everything has been fine since. I would look into the linksys software, you may need to do some special config to allow IPSEC through your linksys router, if you have FW options enabled.

 

[mavenccie]

The issue is that your client behind the SMC/Linksys/insert your brand here client router/firewall isn't passing the data to the client because it is doing PAT. And BTW, AH type vpn won't ever work. And you can verify this by looking at your logs if your client router/firewall keeps them. You can do a couple of things to fix it. You can encapsulate in UDP as suggested by snaphy. That is your most reliable bet b/c it is an independent fix across the board as far as router manufacturers goes. You can also forward the proper ports that are being sent back to the client to their IP address by configuring port forwarding on the router. Those are your best bets.

 

[freak12]

With my isp and linksys router I don't get a static IP. So I setup my connection directly to my pc. So when I put the linksys in place I have to clone the mac address from my pc nic on the linksys.