RE: [fw-wiz] Checkpoint VPN
From: David West (davidawest_at_gmail.com)
Date: 07/20/05
- Previous message: Yehuda Goldenberg: "[fw-wiz] VOIP versus PBX"
- Maybe in reply to: QTR: "[fw-wiz] Checkpoint VPN"
- Next in thread: QTR: "Re: [fw-wiz] Checkpoint VPN"
- Reply: QTR: "Re: [fw-wiz] Checkpoint VPN"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: tmwhitm@gmail.com Date: Wed, 20 Jul 2005 15:39:17 +1000
Sounds like your ike/udp is fragmenting somewhere between the client
and your firewall. This almost always occurs with x.509 certificate
authentication as the cert is too big for a standard Ethernet frame
and dropeed by many cable/dsl routers. Try using ike/tcp. On your
gateway(s) enable support IKE over TCP in global properties and by
enable the following on in SecureClient for your sites profile:
+ Connectivity enhancements
+ Use NAT traversal tunneling
- IKE over TCP
- Force UDP encapsulation
David
-----Original Message-----
From: QTR [mailto:tmwhitm@gmail.com]
Sent: Wednesday, 13 July 2005 12:09 AM
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] Checkpoint VPN
Hello, I was wondering if someone could point me in the right
direction. I have come off a long run of managing Cyberguard
firewalls and am now in the Checkpoint realm, so forgive my ignorance.
I am having an issue with secure client. I have several SoHo users
whose default routers place them on a 172.16.0.0 network. These users
cannot connect to the gateway. Dumps on the checkpoint fw gateway
show no incoming packets and a dump on the client show udp 500 leaving
the client, which leads me to the router/firewall @ the SoHo. Router
makes vary, anywhere from 2wire to netgear, the result is the same. I
initially thought it had something to do with the routing topology
since our topology pushes a static route for a 172 network, but I had
the SoHo router changed to a 10 network that is statically routed in
the topology and that worked fine. At this point I am at a loss. Any
suggestions would be appreciated.
Thank you,
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Yehuda Goldenberg: "[fw-wiz] VOIP versus PBX"
- Maybe in reply to: QTR: "[fw-wiz] Checkpoint VPN"
- Next in thread: QTR: "Re: [fw-wiz] Checkpoint VPN"
- Reply: QTR: "Re: [fw-wiz] Checkpoint VPN"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
