[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: VPN using IPSec between CheckPoint Firewall-1 and OpenBSD

To: "'Cristian Nicolae'" <cnicolae_(_at_)_osce_(_dot_)_org>, misc_(_at_)_openbsd_(_dot_)_org
Subject: RE: VPN using IPSec between CheckPoint Firewall-1 and OpenBSD
From: Patrick Ethier <patrick_(_at_)_secureops_(_dot_)_com>
Date: Wed, 15 Dec 1999 13:51:22 -0500

Hi Cristian,


 I've just finished playing with this exact scenario. It only works but to
some extent. The problem we ran into was the encapsulated routing tables
were not being formed properly.


 I had my VPN gateway here(Which is OBSD2.6 and ISAKMP) with external
interface of xxx.yyy.zzz.109 and internal net of 192.168.100/24
 I had a NT/FW-1/VPN-1 gateway at IP aaa.bbb.ccc.155 and internal net of
192.168.10/24


 The routing tables would end up looking like this on the OBSD side

 Source	Port	Destination	Port		SPI
0.0.0.0/32	0	aaa.bbb.ccc.155/32	aaa.bbb.ccc.155
192.168.100/24	aaa.bbb.ccc.155/32	aaa.bbb.ccc.155

It should look like this

0.0.0.0/32	0	192.168.10/24	aaa.bbb.ccc.155
192.168.100/24	192.168.10/24	aaa.bbb.ccc.155


We called checkpoint and they blamed this on an incompatibility. I didn't
get the details because the FW-1 box does not belong to me..:)

We saw some weird stuff happening, like REQUEST_REMOTE_SUBNET : This option
is not supported in this version

I know that there is no place where we can specify a remote subnet inside
VPN-1. You do this in OBSD by using the


Remote-Network=	[Net-EAST}
[Net-East]
Network-ID=	IPV4_ADDR_SUBNET
Network=	192.168.10.0
Netmask=	255.255.255.0

Somehow the equivalent does not exist in VPN-1 according to Checkpoint's
support.

The result, I can send ESP packets between the two gateways but can't access
the internal LAN's from either side.

If you figure out how to fix this, let me know we'd really appreciate it.


Good luck,

Patrick Ethier
patrick_(_at_)_secureops_(_dot_)_com



-----Original Message-----
From: Cristian Nicolae [mailto:cnicolae_(_at_)_osce_(_dot_)_org]
Sent: Wednesday, December 15, 1999 7:30 AM
To: misc_(_at_)_openbsd_(_dot_)_org
Subject: VPN using IPSec between CheckPoint Firewall-1 and OpenBSD


Hello,
I was wondering if anyone has tried a VPN (using IPSec) between 
OpenBSD and CheckPoint Firewall-1 and if any of you can point me to 
any resource for this particular problem in addition to the OpenBSD 
FAQs. 
Thanks very much in advance. 

Best regards,
Cristian Nicolae

Follow-Ups:
- RE: VPN using IPSec between CheckPoint Firewall-1 and OpenBSD
  - From: Cristian Nicolae

Prev by Date: jive
Next by Date: RE: VPN using IPSec between CheckPoint Firewall-1 and OpenBSD
Previous by thread: VPN using IPSec between CheckPoint Firewall-1 and OpenBSD
Next by thread: RE: VPN using IPSec between CheckPoint Firewall-1 and OpenBSD
Index(es):
- Date
- Thread

Visit your host, monkey.org