Hi What is the IP that the secureclient enters when creating the site (when connecting from the internet)? Is it the statically NAT'd IP of the cluster or is it the statically NAT'd IP of the firewall interface that connects to your ISP??? Regards Shiroma Joel Guillerm <[EMAIL PROTECTED]> wrote: Checkpoint R62, 2 Nokias in a Cluster , SecureClient R56
VPN tunnels can be established from the inside network, but we are unable to establish it from Internet; the reason might be that the Firewall is hidden behind a NAT device (Redware machines) ; We have tried to code the "Statically NATted IP" option in the Link selection section of the VPN properties of the Cluster but nothing changed the UDP NAT Traversal option is also checked; and IKE over TCP has also been tested (on both sides) but it seems that we don't even reach this phase since the default 2746 UDP port never appears in Sniffer traces (taken before and after the NAT device; NAT traversal is generally used in case the client PC real address is hidden behind a NAT device before reaching the VPN Firewall, but here, it is the reverse since the Firewall real address is a private one and so it is hidden from Internet ; Is this configuration supported ? We have the same topology with other types Firewalls and don't have any problem with NAT As far as I understand, this NAT traversal option only concerns IPSEC encapsulation inside UDP layer to allow NAT pass-thru ; the problem here seems to occur during ISAKMP phase The scenario, at time of test, is as follows, from the user point of view : a) after entering the password on the initial Connect screen and clicking the Connect button, a "Verify Certificate" popup is displayed : it is the same kind of screen shown when creating the site itself b) after clicking OK on this popup, the password is prompted again with the same kind of screen as the initial Connect screen, with a Cancel = xxx button and a Connect button; c) after clicking the Connect button, the screen disappears, and nothing else is visible for 1 mn ; d) after that, a "VPN Connection failed" popup appears next to the SecureClient icon on the Quick Launch part of the screen There are visble messages about this VPN test in the SmarTracker log, but none seems an error message Any help welcomed thanks in advance -------------------------------------------------------------------------------------- Joel ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= --------------------------------- Expecting? Get great news right away with email Auto-Check. Try the Yahoo! Mail Beta. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================