Topic: Checkpoint VPN help needed

[gewwang]

I'm getting "testing tunnel failure" trying to connect from home to work. I'm going from my laptop thru a linksys router/cable modem. The info message says to try the "Force UDP encryption" setting but my company isn't allowing UDP encryption.

If I can get this working, I'll be working from home 40 hr/week except for an occasional meeting in the office, so many +T's to whoever can help me get this working.

[mirth]

George, provided you're using the latest version of the VPN-1 client:

Right click on the systray icon, should look like a gold key.
Go to Settings
Select your VPN connection & click Properties
Select the Advanced tab
Check the 'Connectivity Enhancements' box, Use NAT traversal tunneling, and select both IKE over TCP and UDP encapsulation.

The majority of the time you have a VPN client that is behind some type of NAT firewall you need IKE over TCP & UDP encapsulation to get the tunnel to come up.

Al

[gewwang]

The majority of the time you have a VPN client that is behind some type of NAT firewall you need IKE over TCP & UDP encapsulation to get the tunnel to come up.

Thanks, unfortunately I tried them both but my company isn't allowing UDP encryption. Are you saying in most cases you need options checked to get the tunnel working? Is there possibly something wrong in my router config that can be adjusted to get this working?

[mirth]

I don't think there's anything to set on your linksys, other than making sure its running a recent firmware and if there's any setting for allowing IKE/IPSec VPN traffic through.

Not allowing UDP encapsulation is fairly broadband firewall/home network unfriendly...

You can verify this is the issue by hooking your machine up to the internet outside of your firewall & try to establish the tunnel. If it works, then you know your problem.

[gewwang]

Thanks for your help so far.

So I tried it without the router and it works great. As soon as I hook the router back up, I get the tunnel test failed msg. Here's a screenshot:

[mirth]

Unfortunately, without 'Support NAT traversal mechanism (UDP Encapsulation)' enabled & the Allocated Port set to VPN1_IPSEC_encapsulation on the firewall yer hosed.

If you feel like messing with port forwards on your firewall, you could try the following (I got this from Checkpoint's KB)

Allow the following services:

TCP/264 (Topology Download)
IKE
IPSEC and IKE (UDP on port 500)
IPSEC ESP (IP type 50)
IPSEC AH (IP type 51)
TCP/500 (if using IKE over TCP)
UDP 2746 or another port (if using UDP encapsulation)

SecureClient specific connections:

FW1_scv_keep_alive (UDP port 18233) — used for SCV keep-alive packets
FW1_pslogon_NG (TCP port 18231) — used for SecureClient's logon to Policy Server protocol
FW1_sds_logon (TCP port 18232) — used for SecureClient's Software Distribution Server download protocol
tunnel_test (UDP port 18234) - used by Check Point tunnel testing application