Hi Antonio,
A possible answer to the third question:
To achieve full SC connectivity, even behind the most esoteric NATing
devices, you may want to enable the following:
- On the gateway object, *'Remote Access'* tab: check the *'Support NAT
traversal mechanism'* box;
- On the gateway object, *'Remote Access->Office Mode'* tab: *Enable
Office Mode* and configure it's options;
- On the Global Properties, *'Remote Access->VPN - Basic'* tab: Check
the *'Gateways support IKE over TCP'* box.
The last item is particularly useful when establishing the VPN from
behind a Checkpoint FW1 or DSL router. IKE UDP packets are big, and some
routers appear to have problems in reassembling those packets.
Supporting IKE over TCP
Some points to consider:
- To support Office Mode, the VPN client must be installed as Secure
Client, even if you don't have a Policy Server;
- Secure Client must be configured to support all the three options
listed. It's wise to create a preconfigured package;
- The proposed setup allows VPN establishment even from rfc1918 networks
with conflicting addresses. Example: VPN from a 192.168.5.0/26 network,
while your encryption domain contains a sub/superset of this network,
such as 192.168.0.0/16. The drawback is: you won't be able to
communicate with local conflicting addresses while the VPN is established.
- Enabling those options on the gateway only adds functionality. Your
old VPN clients will still work.
- Your internal network must know that the IP range chosen as the Office
Mode pool must be routed back to your Checkpoint;
- The IP range chosen as the Office Mode pool *MUST NOT* appear in the
encryption domain. If your encryption domain is such a thing like
10.0.0.0/8 and you want to use 10.40.1.0/24 as an Office Mode pool,
create a 'group with exclusion'.
I hope this information is useful! :)
Regards,
--
Paulo Zenari
p_zenari AT yahoo.com DOT br
Antonio Costa wrote:
Hi all,
Three questions about SecuRemote/Secure Client :
- any have found or implemented a SC/SR tester application ?
- sometime ago we had tested with GSM/GPRS companies in Brazil, USA and
Europe and
with none of them we could stablish a SC connection. We also found a
RFC about problems
using IPSec clients in GSM/GPRS networks.
Does anyone have done any test or have success story about it ?
- how can i tell SC to stablish an encrypted connection to our gateway
even if the local IP
address belongs to an internal lan behind my firewall ?
--
Antonio Costa
CCNA/CCSE/MCSE/LinuxAdmin
Sao Paulo / Brasil
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
