[VPN] SecureClient VPN + Hummingbird Exceed, NG FP3

Ueckert, Samuel D. samuel.ueckert at unocal.com
Thu Jan 16 13:31:25 EST 2003


Hi,

I am currently running a test network to evaluate whether Checkpoint NG will
meet our VPN needs. Our goal is to run X sessions across a SecureClient VPN
using Exceed.

The VPN forms without any trouble, and I can access network resources on the
protected network across the tunnel. I can ping the VPN client machine from
the Unix host, and vice versa. I have Desktop Security essentially wide
open, and I can initiate various sessions (FTP, for example) inbound to the
machine running SecureClient from the protected network across the tunnel.
When I attempt to initiate any X session (xterm, for example) across the
tunnel, I get an error: "Xt: Can't open display 192.168.2.1:0.0" (the Office
Mode address of my VPN client). I have tried with and without Office Mode
enabled, and neither worked.

      I have gleaned some additional info from packet capture:  No traffic
initiated from the private network with a destination of the Office Mode
clients is being encrypted.  It is instead going out the firewall in the
clear and being NAT'ed.

      I am using 'Simplified' mode for VPN's on the FW-1/VPN-1 box.  I do
not have an option of 'Client Encrypt' for actions in the
'Security-Standard' rules, even if I turn off 'Simplified' mode.

      How do I specify that traffic bound for the Office Mode IP pool should
be encrypted and sent over the tunnel?

The Exceed configuration is a 'known good' one; I can patch the client
machine down on the protected network and connect just fine. I also tried
connecting to the host machine across a router, without any firewalls
between the client and the host, without running SecureClient, and connected
just fine, so I am confident that the problem involves SecureClient.

The test network is as follows:

The client machine is running SecureClient NG FP3 on Windows XP SP1. Its
default gateway is a Cisco router with two Ethernet interface. The router
has no access lists or firewall sotware installed. The Exceed version on the
client is 7.0

The other Ethernet interface of the Cisco connects to the external interface
of the FW-1/VPN-1 gateway. It is running NG FP3 on Solaris 8. It's default
gateway is the Cisco router. It NAT's (hide mode) between the internal
network and the external network.

The Unix host machine that I am connecting sits on the internal network
behind the FW-1/VPN-1, and uses the FW-1 as it's gateway. It is also a
Solaris 8 box.


The Cisco router in this test network only exists so that the client machine
and the FW-1/vpn-1 box don't have addresses on the same network, which is
forbidden for Office mode.

Any help you can lend would be appreciated.

Best Regards,

Sam Ueckert.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030116/fc1d3dd1/attachment.htm 


More information about the VPN mailing list