[VPN] multiple VPNs *through* checkpoint
Tina Bird
tbird at precision-guesswork.com
Tue Dec 10 13:27:54 EST 2002
On Mon, 9 Dec 2002, gclef at speakeasy.net wrote:
> So, I've got an interesting question: has anyone tried to pass multiple IPSec VPNs through (ie not terminating at) a Checkpoint Firewall? (especially one that's doing a many-one NAT)
>
> I'm wondering how the firewall will handle the need for udp port 500 traffic (inbound through the firewall) to do the VPN keying.
>
Badly, probably ;-) The big thing to be aware of is that in order for IKE
negotiation to succeed, both source and destination UDP ports must be 500.
So you have to configure the firewalls to pass through the original ports
without modifying them. Otherwise the destination machine can't tell it's
dealing with IKE.
> Anyone try this yet?
>
I don't know off the top of my head how to do this on a Checkpoint. Look
for something including words like "port translation" or PAT...
tbird
More information about the VPN
mailing list