Fw: What ports need to be opened on remote fw to use CheckpointSecuRemote VPN w/IKE?
Tina Bird
tbird at PRECISION-GUESSWORK.COM
Tue Apr 24 12:49:31 EDT 2001
TCP/256 and 259 are Checkpoint-proprietary management protocols.
They're probably not required to be open on the firewall for IPsec
to work (tho' it's always a little hard to say).
The other situation I've seen that can create the problem Michael
is describing is getting the IPsec configuration correct on both
ends of the connection, but not having a rule in the firewall
policy that allows traffic to flow between the two endpoints.
That is, on a FW-1 you have to have a rule that allows IPsec protocols
between the two gateways -- but you >also< have to have a rule
that allows traffic between the client and the remote LAN, or
the local LAN and remote LAN. I don't know if Watchguard works
the same way, but that's another thing to check.
cheers -- tbird
On Tue, 24 Apr 2001, Sandy Harris wrote:
> Date: Tue, 24 Apr 2001 00:04:51 -0400
> From: Sandy Harris <sandy at STORM.CA>
> To: VPN at SECURITYFOCUS.COM
> Subject: Re: Fw: What ports need to be opened on remote fw to use
CheckpointSecuRemote VPN w/IKE?
>
> Michael LeClair wrote:
> >
> > Help.
> >
> > We are trying to get a Checkpoint-1 SecuRemote VPN connection to work
> > with a Checkpoint-1 (Nokia) firewall using IKE from behind a Watchguard
> > Firebox II fw.
> >
> > The admin of the gateway fw said to open the following ports:
> >
> > 1.) TCP 256
> > 2.) UDP 259
>
> Checking
> http://www.isi.edu/in-notes/iana/assignments/port-numbers
> I see TCP and UDP 256 are for RAP, which I know nothing about.
>
> > 3.) UDP 50
> > 4.) UDP 51
> > 5.) UDP 500
> >
> > ... but, even though authentication is successful, a connection to the
> > client machines on their network behind their Checkpoint fw are not
> > accessible (can't telnet, ping, ftp, etc, all of which should be
> > available).
> >
> > As an aside, I have seen incoming packet rejections on port 0 on our
> > Watchguard firewall from the Checkpoint-1 fw, but this port number may
> > not be accurate. I even saw somewhere that there may be a potential DOS
> > on port 0 using SecuRemote (supposedly reboots Unix clients?).
> >
> > Any expert help would be appreciated.
> >
> > mike
> >
> > VPN is sponsored by SecurityFocus.COM
>
> IPSEC uses **protocols** (not ports) 50 (ESP) and 51 (AH) for the actual
> VPN data. Negotiations to set up up those connections use IKE on UDP port
> 500.
>
> One reference is the firewalls section of the FreeS/WAN (Linux IPSEC)
> documnentation:
>
> http://www.freeswan.org/freeswan_trees/freeswan-1.9/doc/firewall.html
>
> VPN is sponsored by SecurityFocus.COM
>
VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html
life: http://kubarb.phsx.ukans.edu/~tbird
work: http://www.counterpane.com
VPN is sponsored by SecurityFocus.COM
More information about the VPN
mailing list