[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-router
Subject:    RE: [LRP] Eigerstein VPN-Masq & Checkpoint SecureClient
From:       "Mountcastle, John" <John.Mountcastle () hmshost ! com>
Date:       2001-05-29 2:38:17
[Download RAW message or body]

Thanks Chuck, as someone has observed, your reply does look very helpful.

Mostly it serves to get me back on track. What you suggested should work, I
know, it does work, right. Actually may I suggest, if you don't need the
ipfwd commands, take them out. Otherwise, I found, every time you do an "svi
network ipfilter reload" they get doubled up. That can't be good. I think it
is legitimate to put the 

$IPCH -A input -p udp -s 0/0 -d $EXTERN_IP 500 -i $EXTERN_IF

into network.conf by appending it to $EXTERN_UDP_PORTS, that's the way I am
trying to do it, anyway.

So anyway, still no Joy. It may be significant that I am working with FW-1 v
4.0 while you have v 4.1. It may also be significant that I just got an
email from the guy who was supposed to set :userc_NAT (true) and
:user_IKE_NAT (true). The problem may be on that end. Here's hoping.

Thanks for your comments, I'll keep you posted.

If anyone has any experience with SecureRemote against FW-1 v 4.0, I'd love
to hear about it. Various docs say it can be made to work in various ways
but, so far, you can't prove it by me.

John

-----Original Message-----
From: vette66 [mailto:vette66@twmi.rr.com]
Sent: Monday, May 28, 2001 5:44 PM
To: Mountcastle, John
Cc: linux
Subject: re:[LRP] Eigerstein VPN-Masq & Checkpoint SecureClient


Message: 4
From: "Mountcastle, John" <John.Mountcastle@hmshost.com>
To: "'linux-router@linuxrouter.org'" <linux-router@linuxrouter.org>
Date: Mon, 28 May 2001 01:27:59 -0400
Subject: [LRP] Eigerstein VPN-Masq & Checkpoint SecureClient

Good morning to you. I have been reading the list and various HOW-To's
for
about a month. The problem is that they span longer than it takes for
the
answers to change. I am a little confused and afraid I am trying to
reinvent
the wheel.

I've got a lightly customized Eigerstein LRP. I've added sshd.lrp and
changed the kernel and modules for the FLOPPY-NASQ-VPN version. My
checkpoint SecureClient can get authenticated bye the FW-1 machine but a

ping to the private network at the other end of the tunnel just times
out.

c:\ping 162.130.144.100

just goes nowhere.

I have some interesting looking entries in /var/log/messages;

# tail /var/log/messages
May 28 04:03:41 patuxant kernel: ip_masq_esp(): init 192.168.1.1 ->
63.237.92.162 SPI D578C1B2 temporarily blocked by pending init w/ SPI
D578C1B1
and if I
ipchains -I input -p udp -s 192.168.1.1 500 -l -j ACCEPT
or
ipchains -I forward -p 50 -l -j MASQ

John,

I had similar problem when I first tried to get VPN running through my
LRP
box. I have been successfully using it now for a while and included here
is
what I ended up using in my ipfilter.conf file.
I can use secure remote from multiple internal machines IF I log each of
them
into a DIFFERENT ip subnet. In other words I use one machine to
gather my e-mail from work on the mail server (10.103.xxx.xxx) address
and I use my other pc to gain access to my unix workstation at work
but I have to go 10.104.xxx.xxx. (we use multiple subnets at work)
I cannot access the company private network from both pc's to the same
subnet.
We are running CheckPoint Version 4.1 sp2 on the server side
however I have found I can use either sp1 (my laptop) or
sp3 (my pc) and it does not seem to matter, both work.

Now for the nuts and bolts. I use (below) in my ipfilter.conf file.
#
# for secure remote
$IPCH -I input -s 0.0.0.0/0 -d my.eth0.ip.addr/32 500 -p udp  -j ACCEPT
$IPCH -I input -s 0.0.0.0/0 -d my.eth0.ip.addr/32 -p 50 -j ACCEPT
$IPCH -I input -s 0.0.0.0/0 -d my.eth0.ip.addr/32 -p 51 -j ACCEPT
ipfwd --masq 192.168.1.253 50 &
ipfwd --masq 192.168.1.253 51 &
#
I do not believe I need to ipfwd ports 50 and 51 and the reason for
my belief is this. The .253 address is my pc, yet I can use my laptop
(which gets an assigned address from my LRP box) and it also work
fine with secrure remote and I do not (as you can see) have anything
forwarded to that address.

# tail /var/log/messages
May 28 04:03:41 patuxant kernel: ip_masq_esp(): init 192.168.1.1 ->
63.237.92.162 SPI D578C1B2 temporarily blocked by pending init w/ SPI
D578C1B1
May 28 04:09:39 patuxant kernel: ip_masq_esp(): init 192.168.1.1 ->
63.237.92.162 SPI D578C1B6 temporarily blocked by pending init w/ SPI
D578C1B2

I too have (and still get from time to time) the same type of messages
in
my syslog file. I have not tracked down what exactly causes them but
they do not seem to be anything that is preventing secure remote from
working.
As you are using a VPN supported kernal, so am I. (it is an Eiger
2.2.16)
base with moderate changes/additions.

I hope the above helps you out. it was what got my system running with
secure remote :-)

good luck
Chuck

_______________________________________________
linux-router maillist  -  linux-router@linuxrouter.org
http://www.linuxrouter.org/mailman/listinfo/linux-router

[prev in list] [next in list] [prev in thread] [next in thread]