FW: What ports need to be opened on remote fw to use Checkpoint SecuRemote VPN w/IKE?
Sean McCreanor
seanm at COMTECH.COM.AU
Mon Apr 23 23:19:12 EDT 2001
Point 3 & 4 need clarification. These should be IP protocol 50 and 51
(more than likely ESP is being used which is IP protocol 50). This would
probably explain why IKE phase 1 is negotiating (and authentication is
sucessful) but maybe the IPSec SA's are not being established (IKE phase
2).
The second question would be whether this is a single host or multiple
hosts that is attempting to establish the IPSec tunnel with SR. If it is
multiple hosts, IPSec encapsulated in UDP would be required if the hosts
were being 'hide' NAT'ed behind the Watchguard firewall. This
modification needs to be manually done in the userc.C file.
Hope this helps.
Sean.
Sean McCreanor
Security Engineer
Com Tech Communications
121-127 Harrington Street
Sydney Australia 2000
Phone +61 2 8249 5086
Mobile +61 418 485 312
-----Original Message-----
From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM] On Behalf Of
Michael LeClair
Sent: Saturday, 21 April 2001 7:37 AM
To: VPN at SECURITYFOCUS.COM
Subject: Fw: What ports need to be opened on remote fw to use Checkpoint
SecuRemote VPN w/IKE?
Help.
We are trying to get a Checkpoint-1 SecuRemote VPN connection to work
with a Checkpoint-1 (Nokia) firewall using IKE from behind a Watchguard
Firebox II fw.
The admin of the gateway fw said to open the following ports:
1.) TCP 256
2.) UDP 259
3.) UDP 50
4.) UDP 51
5.) UDP 500
... but, even though authentication is successful, a connection to the
client machines on their network behind their Checkpoint fw are not
accessible (can't telnet, ping, ftp, etc, all of which should be
available).
As an aside, I have seen incoming packet rejections on port 0 on our
Watchguard firewall from the Checkpoint-1 fw, but this port number may
not be accurate. I even saw somewhere that there may be a potential DOS
on port 0 using SecuRemote (supposedly reboots Unix clients?).
Any expert help would be appreciated.
mike
VPN is sponsored by SecurityFocus.COM
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Sean McCreanor (seanm at comtech.com.au).vcf
Type: text/x-vcard
Size: 2124 bytes
Desc: not available
Url : http://lists.shmoo.com/pipermail/vpn/attachments/20010424/ab04f913/attachment.vcf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3596 bytes
Desc: not available
Url : http://lists.shmoo.com/pipermail/vpn/attachments/20010424/ab04f913/attachment.bin
More information about the VPN
mailing list