IPSEC Client connectivity through CheckPoint

Pete Davis pete at ETHER.NET
Wed Jan 24 20:54:45 EST 2001


When you say "time out". Does an active session time out or is the client
never able to successfully connect? If the issue is that you are never able to
successfully connect (i.e never even get a username/password prompt), this
usually indicates that something blocked the IKE negotiation (UDP) or that the
group name/password do not match.

Things to check: Is your FW configured to drop fragmented packets?
This could be problematic, especially if you're using Certificates.

Is the FW doing NAT or PAT? (Is it assigning a unique outside address to each
connection or simply mapping ports?). If you're using the IPsec/NAT
functionality in the client, you do not need to open up ESP Proto-50, but you
will also need to open up whatever the UDP port is that you're using for the
Data stream (by default this is set to 10,000), this is configurable in the
group. You do not need to open up AH-Proto 51 since you're not using AH.
For your filters on the CHKP you should be permitting SRC X DST 500 PROTO UDP,
SRC ANY DST 10000 (or whatever you set) PROTO UDP. If you're not using the
client IPsec/NAT functionality, you would need SRC X DST 500 PROTO PROTO UDP

If you attempt to open up an ALL filter from X to the VPN Concentrator
temporarily on the FW allowing any traffic from the Client to the VPN
Concentrator, do this work?
(This would help to isolate whether there is a filter problem or something
else is wrong) Do you see retransmit messages in the Client Log Viewer - Set
to High?

I assume that you have set the MTU on the client to be 1400 or lower. It's also
worth trying Client v2.5.2(a) available on CCO under SW CENTER / VPN / 3000
(you must first log in with your Smartnet Account). There were no changes
between 2.5 and 2.5.2a (see the release notes posted) that would have any
effect on this, but it's worth upgrading anyhow.

Best Regards,

On Wed, Jan 24, 2001 at 01:58:19PM -0800, Michael Hoffert wrote:
> Hello,
> I have an issue with getting a client's IPSEC
> connectivity through a  Checkpoint firewall.  Refering
> to the topology below, we have confimed that
> - the devices have ping capabilities (network
> connectivity)
> - The firewall has all ports opened from the 3000's IP
> address (including proto port 50, 51, and UDP500)
> - A sniffer at point Z (in between Vendor A's
> Concentrator and Router) indicates that UDP 500
> packets are being received.and transmitted
> - Vendor B's router is seeing the packets come back
> (via ip accounting)
> - the Checkpoint FW doesn't appear to have any dropped
> packets from Vendor A's concentrator or Vendor B's
> client.
> - The client workstation (running 98 and Cisco 2.5
> client) will eventually time out.
> Other Notes:
> - Vendor B's FW is also terminating checkpoint VPN
> connections but this address is not in the encryption
> group
> - Vendor B's FW is also doing NAT (we have the client
> to utilize IPSEC/ NAT)
> - Vendor B has no resources to capture traffic on
> private segment
> Any ideas would be appreciated,
> -Mike-
>   |Cisco3000| Vendor A
>       |  <--- Sniffer Z
>       v
>    |Router|
>       |
>       v
>   (Internet)
>       |
>       v
>    |Router|
>       |
>       v
> |Checkpoint/Nokia FW|
>      NAT
>       |
>       v
>   |Client|
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Auctions - Buy the things you want at great prices.
> http://auctions.yahoo.com/
> VPN is sponsored by SecurityFocus.COM

     Pete Davis - Product Manager <psd at cisco.com>  (508) 541-7300 x6154
         Cisco Systems, Inc.  - 38 Forge Park   Franklin, MA 02038

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list