Topic: Checkpoint VPN Secure Remote

[bud]

We replaced an IBM Whistlejet with SME5.  Now, we are only able to connect a single Checkpoint VPN-1 Secure Remote connection at a time.

If someone is already connected, nobody else in the office can connect.

The Whistlejet allowed multiple connections AND it did NAT.  What's up?

[Bob Todd]

all a bit new to me this stuff but I take it you have correctly setup the remote access options in the server-manager to allow multiple connections? If the checkpoint box is passing pptp connections you'd need to tell the sme server to allow for x number of pptp clients. not familiar with the checkpoint box, I use a Gnatbox GB1000 myself.

[bud]

Bob,

Thanks for the reply.  Let me clarify my question...

I am not talking about using the PPTP services on the server.  I am talking about allowing passthru:

CP VPN-1 Client --> "thru Mitel server" --> to Internet --> to CP Firewall

It only allows a single client to connect.  If another client tries to connect from behind the server, it rejects them.  The Mitel server is using NAT.

[Bob Todd]

is this maybe a setting on the CP firewall thats the problem then - is it rejecting multiple connections from a single IP, remembering that if you're using NAT then all connections from your network behind the SME box appear to come from the one "external" IP ?

[bud]

That's a good point; however, the old Whistlejet was using NAT as well.  Maybe I need to open additional ports?

[Ryan]

Take a look here:

http://forums.contribs.org/index.php?topic=15598.msg60006#msg60006

[Ryan]

Do a search for IPSEC vpn in this forum.  This issue has been discussed several times.

Ryan

[bud]

It still doesn't answer my first question:

How can I get more than one person to connect to the VPN at once?  Can the IPSEC module support multiple connections?

[Ryan]

I had the same problem with Nortel Extranet Client.  The simple commands on shown on the link in my last message will allow multiple connections for Extranet Clients.  This command adds IPSEC through NAT for the kernel (or something like that).  I also had to check 'disable keep alives' for each client or the connection fails within a few minutes.

Ryan

[Bill Talcott]

Just stumbled across this...

ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html (from http://ipmasq.cjb.net/)

"If you are using a Checkpoint SecuRemote VPN with FWZ-encapsulated tunnels, you will not be able to masquerade the traffic. Configure your VPN to use pure IPsec protocols and permit NAT, and avoid the CheckPoint proprietary FWZ protocols. See the VPN Masquerade HOWTO for more details."

Might help you out...

[bud]

Thanks Ryan,

We will try your suggestions.  If anyone is searching this thread in the future, I have included a copy of help text from checkpoint.  I think this might have something to do with my problem:

--------------
5. Symptom : "Two users behind the same NAT device can not have access to the corporate network"

Scenario : Two SecuRemote users behind the same NAT device.

Explanation : Some NAT devices do not translate the Source port and therefore cannot support the following scenario: IKE is UDP/500 and UDP Encapsulation is UDP/2746 over static Source/Destination port. It is not a Check Point, but a NAT device limitation.

Workaround : Use a NAT device that supports port address translation.

Solution:
- SecureClient NG FP3 addresses this issue, by binding in two different UDP ports for IKE and UDP Encapsulation. In order to support it, you need to force UDP Encapsulation on the Client and add the option ChangeUDPsport to “true” in the userc.C .

- with previous SecureClient builds. Some NAT devices handle ESP packets better than UDP. Therefore, you may want to force ESP. In order to do it, you need to disable “force UDP Encapsulation” on the Client. On the Mgmt, you need to change the property udp_encapsulation_by_qm_id from “true” to “false”.

----------------

[bud]

Does SME support port address translation?  I'm pretty sure that it does... These are the modules that I have loaded:

ModuleSize                Used by
appletalk-fixed            20960  12  (autoclean)
rtl8139                       12416   2  (autoclean)
ip_masq_vdolive         1376   0  (unused)
ip_masq_raudio          3008   0  (unused)
ip_masq_quake          1392   0  (unused)
ip_masq_pptp            4560   0  (unused)
ip_masq_irc               1632   0  (unused)
ip_masq_ipsec           7728   0  (unused)
ip_masq_icq              10144   0  (unused)
ip_masq_h323            3600   0  (unused)
ip_masq_ftp               4256   0  (unused)
ip_masq_cuseeme     1120   0  (unused)
ip_masq_portfw          2608   0  (autoclean) (unused)
agpgart                     18608   0  (unused)
usb-uhci                    19056   0  (unused)
usbcore                     42096   1  [usb-uhci]

It looks like ip_masq_ipsec and ip_masq_pptp are both loaded and ready to go...