Re: [FW-1] Setup of Remote VPN on R75+
I upgraded from R75.20 to R75.40 and it has fixed several issues. I also modified my remote access rule to Any / Any / RemoteAccess / Any / accept / Log / FW with all of that I am now able to connect via SecureRemote however the address I want assigned is not the address that gets assigned. I want 172.30.254.0/24 assigned and I'm getting 192.168.0.0 assigned. If I specify my internal DHCP server I'm not even able to connect... So...what does anyone think I need to do to fix that? -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Gary Scott Sent: Friday, September 28, 2012 11:33 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ E7x securemote will also try and use https on the initil connection, if this is blocked then it will use IKE. You didn't specify what client option of E7x you were installing, assumed it was endpoint security, securemote has inherent short falls that make it undesirable for use in several common environments. Securemote would require the VPN blade license. None the less, you ruled out a problem with SSL when using the R60 client, if you are using the FW's external IP for everything (every port?) then you are stepping on ports it needs to have open for certain features to work, check out sk52421 and sk62692. In general its is not a good idea to use the FW's external IP for static port NAT, if you do you have to be careful on what ports you use and what feature you have enabled. From: Nathan Hawkins na...@thfcom.com To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Friday, September 28, 2012 11:36 AM Subject: Re: [FW-1] Setup of Remote VPN on R75+ Ok, no the FW I'm working on is not licensed for that. -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez Sent: Friday, September 28, 2012 10:12 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ SNX stands for SSL Network Extender. It is a feature that allows to establish SSL VPNs through a portal hosted in the gateway, but it does encapsule an IPSec tunnel within SSL, which allows to have the features of SSL VPN (without having to previously install a VPN Client on each user's laptop) and the flexibility of a regular IPSec VPN, which allows access to any client/server application and not just web-able applications, as happens with regular SSL solutions. SNX does require extra licensing, it used to be a feature by itself, but it is now considered part of the Mobile Access Blade. On Fri, Sep 28, 2012 at 9:03 AM, Nathan Hawkins na...@thfcom.com wrote: No, Visitor mode is NOT required as per that guide and a few others I've read (please refer to the note about SecuRemote). Anyway, everything is set according to the documentation (including that guide). Yes, I'm using the FW's external IP for everything (including HTTP/S). I've disabled the NAT for every test... No special license is required for SecuRemote... I have recently tried the R60 version of SecuRemote/Client and it does not connect. I'm not sure what SNX is? Any other ideas? -Original Message- From: Mailing list for discussion of Firewall-1 [mailto: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Gary Scott Sent: Thursday, September 27, 2012 10:25 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ Visitor mode is required to be enabled on the gateway for the E75.20 client to work, check the admin guide specific for this client, CP_E75.20_Remote_Access_Clients_Admin_Guide.pdf. To be clear, are you using the FW's external IP for port NAT for http/https?, if so then this needs to be disabled. Disabling http/https NAT for any other external IP's you have I don't think this would have any bearing on this, not something I would consider doingthat would be just crazy. Do you have the proper license in place? I would try a 32 bit SC R60 client just to make sure basic IPSEC VPN/office mode/etc.. were functioning properly, you could also enable SNX, if licensed for it, and check if you can https through a browser. From: Nathan Hawkins na...@thfcom.com To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Thursday, September 27, 2012 8:23 AM Subject: Re: [FW-1] Setup of Remote VPN on R75+ Well...the R60 client wont work on the machines I support because they are all 64 bit and the R60 client is 32 bit only. Whenever someone has something to suggest trying I disable all NATing for HTTP/S to the web servers, because so far I have yet to make the VPN client even create the site let alone work... I guess I'll switch to simplified mode when it presents itself as the better way to go. So far it has
Re: [FW-1] Setup of Remote VPN on R75+
No, Visitor mode is NOT required as per that guide and a few others I've read (please refer to the note about SecuRemote). Anyway, everything is set according to the documentation (including that guide). Yes, I'm using the FW's external IP for everything (including HTTP/S). I've disabled the NAT for every test... No special license is required for SecuRemote... I have recently tried the R60 version of SecuRemote/Client and it does not connect. I'm not sure what SNX is? Any other ideas? -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Gary Scott Sent: Thursday, September 27, 2012 10:25 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ Visitor mode is required to be enabled on the gateway for the E75.20 client to work, check the admin guide specific for this client, CP_E75.20_Remote_Access_Clients_Admin_Guide.pdf. To be clear, are you using the FW's external IP for port NAT for http/https?, if so then this needs to be disabled. Disabling http/https NAT for any other external IP's you have I don't think this would have any bearing on this, not something I would consider doingthat would be just crazy. Do you have the proper license in place? I would try a 32 bit SC R60 client just to make sure basic IPSEC VPN/office mode/etc.. were functioning properly, you could also enable SNX, if licensed for it, and check if you can https through a browser. From: Nathan Hawkins na...@thfcom.com To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Thursday, September 27, 2012 8:23 AM Subject: Re: [FW-1] Setup of Remote VPN on R75+ Well...the R60 client wont work on the machines I support because they are all 64 bit and the R60 client is 32 bit only. Whenever someone has something to suggest trying I disable all NATing for HTTP/S to the web servers, because so far I have yet to make the VPN client even create the site let alone work... I guess I'll switch to simplified mode when it presents itself as the better way to go. So far it has not. Any suggestions as to what to try next? -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Gary Scott Sent: Wednesday, September 26, 2012 8:27 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ The E7x clients do operate a bit differently than the older R60 IPSEC client, I think the initial https connection from the client are for auth purposes, a change from the older hybrid mode auth. Even though no longer supported can you connect with the R60 client?, unless using visitor mode it will do native IPSEC with no SSL? Make sure your 443 port is not being stepped on by anything else, also have the proper license(s) in place, office mode was a freebie for the R60 client but no longer the case for the E7x client, which is a shame for such a needed feature. You still have complete control using simplified mode, it is just a mode to simplify the configuration of multiple VPN sites and a few other things, once you get over the sticker shock you will see simplified mode is the way to go. -GS From: Nathan Hawkins na...@thfcom.com To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Wednesday, September 26, 2012 2:23 PM Subject: Re: [FW-1] Setup of Remote VPN on R75+ All of that was already set (checked) and applied to the GW On the Client (E75.20 is currently installed), what I see at the FW and other logs I'm using to troubleshoot this is only HTTP/HTTPS connections and I cant configure anything else because when I go to create a new site it fails and won't continue to configure anything. All I get is a back / cancel / help (which brings up the help file) button. If I must, I'll change to simplified mode, but I like traditional because I don't like anything to be automatic. I like complete control over everything. I appreciate your help! I hope we can fix this... -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez Sent: Wednesday, September 26, 2012 12:14 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ Global Properties Remotes Access VPN Auth and Ecryp IKE over TCP - here you enable support for TCP encapsulation on the gateway Gateway Properties IPSec VPN Remote Access Support NAT Traversal -- Here you enable support for a propietary UDP Encapsulation on -- the gateway. Now, on the client side you must enable these also, otherwise the client won't try to use them when trying to establish VPN. Now, I unfortunately don't have handy an installation of the new versions of the VPN clients, but on the old ones, I remember you go
Re: [FW-1] Setup of Remote VPN on R75+
SNX stands for SSL Network Extender. It is a feature that allows to establish SSL VPNs through a portal hosted in the gateway, but it does encapsule an IPSec tunnel within SSL, which allows to have the features of SSL VPN (without having to previously install a VPN Client on each user's laptop) and the flexibility of a regular IPSec VPN, which allows access to any client/server application and not just web-able applications, as happens with regular SSL solutions. SNX does require extra licensing, it used to be a feature by itself, but it is now considered part of the Mobile Access Blade. On Fri, Sep 28, 2012 at 9:03 AM, Nathan Hawkins na...@thfcom.com wrote: No, Visitor mode is NOT required as per that guide and a few others I've read (please refer to the note about SecuRemote). Anyway, everything is set according to the documentation (including that guide). Yes, I'm using the FW's external IP for everything (including HTTP/S). I've disabled the NAT for every test... No special license is required for SecuRemote... I have recently tried the R60 version of SecuRemote/Client and it does not connect. I'm not sure what SNX is? Any other ideas? -Original Message- From: Mailing list for discussion of Firewall-1 [mailto: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Gary Scott Sent: Thursday, September 27, 2012 10:25 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ Visitor mode is required to be enabled on the gateway for the E75.20 client to work, check the admin guide specific for this client, CP_E75.20_Remote_Access_Clients_Admin_Guide.pdf. To be clear, are you using the FW's external IP for port NAT for http/https?, if so then this needs to be disabled. Disabling http/https NAT for any other external IP's you have I don't think this would have any bearing on this, not something I would consider doingthat would be just crazy. Do you have the proper license in place? I would try a 32 bit SC R60 client just to make sure basic IPSEC VPN/office mode/etc.. were functioning properly, you could also enable SNX, if licensed for it, and check if you can https through a browser. From: Nathan Hawkins na...@thfcom.com To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Thursday, September 27, 2012 8:23 AM Subject: Re: [FW-1] Setup of Remote VPN on R75+ Well...the R60 client wont work on the machines I support because they are all 64 bit and the R60 client is 32 bit only. Whenever someone has something to suggest trying I disable all NATing for HTTP/S to the web servers, because so far I have yet to make the VPN client even create the site let alone work... I guess I'll switch to simplified mode when it presents itself as the better way to go. So far it has not. Any suggestions as to what to try next? -Original Message- From: Mailing list for discussion of Firewall-1 [mailto: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Gary Scott Sent: Wednesday, September 26, 2012 8:27 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ The E7x clients do operate a bit differently than the older R60 IPSEC client, I think the initial https connection from the client are for auth purposes, a change from the older hybrid mode auth. Even though no longer supported can you connect with the R60 client?, unless using visitor mode it will do native IPSEC with no SSL? Make sure your 443 port is not being stepped on by anything else, also have the proper license(s) in place, office mode was a freebie for the R60 client but no longer the case for the E7x client, which is a shame for such a needed feature. You still have complete control using simplified mode, it is just a mode to simplify the configuration of multiple VPN sites and a few other things, once you get over the sticker shock you will see simplified mode is the way to go. -GS From: Nathan Hawkins na...@thfcom.com To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Wednesday, September 26, 2012 2:23 PM Subject: Re: [FW-1] Setup of Remote VPN on R75+ All of that was already set (checked) and applied to the GW On the Client (E75.20 is currently installed), what I see at the FW and other logs I'm using to troubleshoot this is only HTTP/HTTPS connections and I cant configure anything else because when I go to create a new site it fails and won't continue to configure anything. All I get is a back / cancel / help (which brings up the help file) button. If I must, I'll change to simplified mode, but I like traditional because I don't like anything to be automatic. I like complete control over everything. I appreciate your help! I hope we can fix this... -Original Message- From: Mailing list for discussion of Firewall-1 [mailto: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio
Re: [FW-1] Setup of Remote VPN on R75+
Ok, no the FW I'm working on is not licensed for that. -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez Sent: Friday, September 28, 2012 10:12 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ SNX stands for SSL Network Extender. It is a feature that allows to establish SSL VPNs through a portal hosted in the gateway, but it does encapsule an IPSec tunnel within SSL, which allows to have the features of SSL VPN (without having to previously install a VPN Client on each user's laptop) and the flexibility of a regular IPSec VPN, which allows access to any client/server application and not just web-able applications, as happens with regular SSL solutions. SNX does require extra licensing, it used to be a feature by itself, but it is now considered part of the Mobile Access Blade. On Fri, Sep 28, 2012 at 9:03 AM, Nathan Hawkins na...@thfcom.com wrote: No, Visitor mode is NOT required as per that guide and a few others I've read (please refer to the note about SecuRemote). Anyway, everything is set according to the documentation (including that guide). Yes, I'm using the FW's external IP for everything (including HTTP/S). I've disabled the NAT for every test... No special license is required for SecuRemote... I have recently tried the R60 version of SecuRemote/Client and it does not connect. I'm not sure what SNX is? Any other ideas? -Original Message- From: Mailing list for discussion of Firewall-1 [mailto: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Gary Scott Sent: Thursday, September 27, 2012 10:25 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ Visitor mode is required to be enabled on the gateway for the E75.20 client to work, check the admin guide specific for this client, CP_E75.20_Remote_Access_Clients_Admin_Guide.pdf. To be clear, are you using the FW's external IP for port NAT for http/https?, if so then this needs to be disabled. Disabling http/https NAT for any other external IP's you have I don't think this would have any bearing on this, not something I would consider doingthat would be just crazy. Do you have the proper license in place? I would try a 32 bit SC R60 client just to make sure basic IPSEC VPN/office mode/etc.. were functioning properly, you could also enable SNX, if licensed for it, and check if you can https through a browser. From: Nathan Hawkins na...@thfcom.com To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Thursday, September 27, 2012 8:23 AM Subject: Re: [FW-1] Setup of Remote VPN on R75+ Well...the R60 client wont work on the machines I support because they are all 64 bit and the R60 client is 32 bit only. Whenever someone has something to suggest trying I disable all NATing for HTTP/S to the web servers, because so far I have yet to make the VPN client even create the site let alone work... I guess I'll switch to simplified mode when it presents itself as the better way to go. So far it has not. Any suggestions as to what to try next? -Original Message- From: Mailing list for discussion of Firewall-1 [mailto: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Gary Scott Sent: Wednesday, September 26, 2012 8:27 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ The E7x clients do operate a bit differently than the older R60 IPSEC client, I think the initial https connection from the client are for auth purposes, a change from the older hybrid mode auth. Even though no longer supported can you connect with the R60 client?, unless using visitor mode it will do native IPSEC with no SSL? Make sure your 443 port is not being stepped on by anything else, also have the proper license(s) in place, office mode was a freebie for the R60 client but no longer the case for the E7x client, which is a shame for such a needed feature. You still have complete control using simplified mode, it is just a mode to simplify the configuration of multiple VPN sites and a few other things, once you get over the sticker shock you will see simplified mode is the way to go. -GS From: Nathan Hawkins na...@thfcom.com To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Wednesday, September 26, 2012 2:23 PM Subject: Re: [FW-1] Setup of Remote VPN on R75+ All of that was already set (checked) and applied to the GW On the Client (E75.20 is currently installed), what I see at the FW and other logs I'm using to troubleshoot this is only HTTP/HTTPS connections and I cant configure anything else because when I go to create a new site it fails and won't continue to configure anything. All I get is a back / cancel / help (which brings up the help file) button
Re: [FW-1] Setup of Remote VPN on R75+
E7x securemote will also try and use https on the initil connection, if this is blocked then it will use IKE. You didn't specify what client option of E7x you were installing, assumed it was endpoint security, securemote has inherent short falls that make it undesirable for use in several common environments. Securemote would require the VPN blade license. None the less, you ruled out a problem with SSL when using the R60 client, if you are using the FW's external IP for everything (every port?) then you are stepping on ports it needs to have open for certain features to work, check out sk52421 and sk62692. In general its is not a good idea to use the FW's external IP for static port NAT, if you do you have to be careful on what ports you use and what feature you have enabled. From: Nathan Hawkins na...@thfcom.com To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Friday, September 28, 2012 11:36 AM Subject: Re: [FW-1] Setup of Remote VPN on R75+ Ok, no the FW I'm working on is not licensed for that. -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez Sent: Friday, September 28, 2012 10:12 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ SNX stands for SSL Network Extender. It is a feature that allows to establish SSL VPNs through a portal hosted in the gateway, but it does encapsule an IPSec tunnel within SSL, which allows to have the features of SSL VPN (without having to previously install a VPN Client on each user's laptop) and the flexibility of a regular IPSec VPN, which allows access to any client/server application and not just web-able applications, as happens with regular SSL solutions. SNX does require extra licensing, it used to be a feature by itself, but it is now considered part of the Mobile Access Blade. On Fri, Sep 28, 2012 at 9:03 AM, Nathan Hawkins na...@thfcom.com wrote: No, Visitor mode is NOT required as per that guide and a few others I've read (please refer to the note about SecuRemote). Anyway, everything is set according to the documentation (including that guide). Yes, I'm using the FW's external IP for everything (including HTTP/S). I've disabled the NAT for every test... No special license is required for SecuRemote... I have recently tried the R60 version of SecuRemote/Client and it does not connect. I'm not sure what SNX is? Any other ideas? -Original Message- From: Mailing list for discussion of Firewall-1 [mailto: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Gary Scott Sent: Thursday, September 27, 2012 10:25 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ Visitor mode is required to be enabled on the gateway for the E75.20 client to work, check the admin guide specific for this client, CP_E75.20_Remote_Access_Clients_Admin_Guide.pdf. To be clear, are you using the FW's external IP for port NAT for http/https?, if so then this needs to be disabled. Disabling http/https NAT for any other external IP's you have I don't think this would have any bearing on this, not something I would consider doingthat would be just crazy. Do you have the proper license in place? I would try a 32 bit SC R60 client just to make sure basic IPSEC VPN/office mode/etc.. were functioning properly, you could also enable SNX, if licensed for it, and check if you can https through a browser. From: Nathan Hawkins na...@thfcom.com To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Thursday, September 27, 2012 8:23 AM Subject: Re: [FW-1] Setup of Remote VPN on R75+ Well...the R60 client wont work on the machines I support because they are all 64 bit and the R60 client is 32 bit only. Whenever someone has something to suggest trying I disable all NATing for HTTP/S to the web servers, because so far I have yet to make the VPN client even create the site let alone work... I guess I'll switch to simplified mode when it presents itself as the better way to go. So far it has not. Any suggestions as to what to try next? -Original Message- From: Mailing list for discussion of Firewall-1 [mailto: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Gary Scott Sent: Wednesday, September 26, 2012 8:27 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ The E7x clients do operate a bit differently than the older R60 IPSEC client, I think the initial https connection from the client are for auth purposes, a change from the older hybrid mode auth. Even though no longer supported can you connect with the R60 client?, unless using visitor mode it will do native IPSEC with no SSL? Make sure your 443 port is not being stepped on by anything else, also have the proper license(s
Re: [FW-1] Setup of Remote VPN on R75+
Well...the R60 client wont work on the machines I support because they are all 64 bit and the R60 client is 32 bit only. Whenever someone has something to suggest trying I disable all NATing for HTTP/S to the web servers, because so far I have yet to make the VPN client even create the site let alone work... I guess I'll switch to simplified mode when it presents itself as the better way to go. So far it has not. Any suggestions as to what to try next? -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Gary Scott Sent: Wednesday, September 26, 2012 8:27 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ The E7x clients do operate a bit differently than the older R60 IPSEC client, I think the initial https connection from the client are for auth purposes, a change from the older hybrid mode auth. Even though no longer supported can you connect with the R60 client?, unless using visitor mode it will do native IPSEC with no SSL? Make sure your 443 port is not being stepped on by anything else, also have the proper license(s) in place, office mode was a freebie for the R60 client but no longer the case for the E7x client, which is a shame for such a needed feature. You still have complete control using simplified mode, it is just a mode to simplify the configuration of multiple VPN sites and a few other things, once you get over the sticker shock you will see simplified mode is the way to go. -GS From: Nathan Hawkins na...@thfcom.com To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Wednesday, September 26, 2012 2:23 PM Subject: Re: [FW-1] Setup of Remote VPN on R75+ All of that was already set (checked) and applied to the GW On the Client (E75.20 is currently installed), what I see at the FW and other logs I'm using to troubleshoot this is only HTTP/HTTPS connections and I cant configure anything else because when I go to create a new site it fails and won't continue to configure anything. All I get is a back / cancel / help (which brings up the help file) button. If I must, I'll change to simplified mode, but I like traditional because I don't like anything to be automatic. I like complete control over everything. I appreciate your help! I hope we can fix this... -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez Sent: Wednesday, September 26, 2012 12:14 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ Global Properties Remotes Access VPN Auth and Ecryp IKE over TCP - here you enable support for TCP encapsulation on the gateway Gateway Properties IPSec VPN Remote Access Support NAT Traversal -- Here you enable support for a propietary UDP Encapsulation on -- the gateway. Now, on the client side you must enable these also, otherwise the client won't try to use them when trying to establish VPN. Now, I unfortunately don't have handy an installation of the new versions of the VPN clients, but on the old ones, I remember you go to Settings Properties of the Site Advanced and you configured there the use of TCP and/or UDP Encap (also enable/disable Visitor mode). If you are still seeing HTTPS from the client IP and destined to the firewall on your logs, then your client is still trying to use Visitor Mode. Finally, you will find more help from people, forums and documentation if you turn to simplified VPN mode, traditional mode is pretty old. On Wed, Sep 26, 2012 at 10:12 AM, Nathan Hawkins na...@thfcom.com wrote: Actually I see the FW external IP used frequently, but that's not relevant here. Please explain where I would involve TCP encapsulation - I've looked around for anything that would re-designate a way for Secure Client to make a connection and nothing has worked so far. I have mentioned (at least once, in my initial post) that in Logviewer all I see are accepts for HTTP/HTTPS. I have also explained in a recent post that I don't see any drops at the console (CLI) for the SIP of where the remote client is coming from. Yes - I have read the Admin Guide for R75.20 - several times actually... Its not that helpful... -Original Message- From: Mailing list for discussion of Firewall-1 [mailto: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez Sent: Wednesday, September 26, 2012 10:12 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ Well, usually the Firewall public IP is not used to staticaly NAT web servers, so regularly this is not an issue... anyway. I have mentioned already that you could try using something else like TCP encapsulation, have you tried that?? So far you have not mentioned anything about the logs
Re: [FW-1] Setup of Remote VPN on R75+
Visitor mode is required to be enabled on the gateway for the E75.20 client to work, check the admin guide specific for this client, CP_E75.20_Remote_Access_Clients_Admin_Guide.pdf. To be clear, are you using the FW's external IP for port NAT for http/https?, if so then this needs to be disabled. Disabling http/https NAT for any other external IP's you have I don't think this would have any bearing on this, not something I would consider doingthat would be just crazy. Do you have the proper license in place? I would try a 32 bit SC R60 client just to make sure basic IPSEC VPN/office mode/etc.. were functioning properly, you could also enable SNX, if licensed for it, and check if you can https through a browser. From: Nathan Hawkins na...@thfcom.com To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Thursday, September 27, 2012 8:23 AM Subject: Re: [FW-1] Setup of Remote VPN on R75+ Well...the R60 client wont work on the machines I support because they are all 64 bit and the R60 client is 32 bit only. Whenever someone has something to suggest trying I disable all NATing for HTTP/S to the web servers, because so far I have yet to make the VPN client even create the site let alone work... I guess I'll switch to simplified mode when it presents itself as the better way to go. So far it has not. Any suggestions as to what to try next? -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Gary Scott Sent: Wednesday, September 26, 2012 8:27 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ The E7x clients do operate a bit differently than the older R60 IPSEC client, I think the initial https connection from the client are for auth purposes, a change from the older hybrid mode auth. Even though no longer supported can you connect with the R60 client?, unless using visitor mode it will do native IPSEC with no SSL? Make sure your 443 port is not being stepped on by anything else, also have the proper license(s) in place, office mode was a freebie for the R60 client but no longer the case for the E7x client, which is a shame for such a needed feature. You still have complete control using simplified mode, it is just a mode to simplify the configuration of multiple VPN sites and a few other things, once you get over the sticker shock you will see simplified mode is the way to go. -GS From: Nathan Hawkins na...@thfcom.com To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Wednesday, September 26, 2012 2:23 PM Subject: Re: [FW-1] Setup of Remote VPN on R75+ All of that was already set (checked) and applied to the GW On the Client (E75.20 is currently installed), what I see at the FW and other logs I'm using to troubleshoot this is only HTTP/HTTPS connections and I cant configure anything else because when I go to create a new site it fails and won't continue to configure anything. All I get is a back / cancel / help (which brings up the help file) button. If I must, I'll change to simplified mode, but I like traditional because I don't like anything to be automatic. I like complete control over everything. I appreciate your help! I hope we can fix this... -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez Sent: Wednesday, September 26, 2012 12:14 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ Global Properties Remotes Access VPN Auth and Ecryp IKE over TCP - here you enable support for TCP encapsulation on the gateway Gateway Properties IPSec VPN Remote Access Support NAT Traversal -- Here you enable support for a propietary UDP Encapsulation on -- the gateway. Now, on the client side you must enable these also, otherwise the client won't try to use them when trying to establish VPN. Now, I unfortunately don't have handy an installation of the new versions of the VPN clients, but on the old ones, I remember you go to Settings Properties of the Site Advanced and you configured there the use of TCP and/or UDP Encap (also enable/disable Visitor mode). If you are still seeing HTTPS from the client IP and destined to the firewall on your logs, then your client is still trying to use Visitor Mode. Finally, you will find more help from people, forums and documentation if you turn to simplified VPN mode, traditional mode is pretty old. On Wed, Sep 26, 2012 at 10:12 AM, Nathan Hawkins na...@thfcom.com wrote: Actually I see the FW external IP used frequently, but that's not relevant here. Please explain where I would involve TCP encapsulation - I've looked around for anything that would re-designate a way for Secure Client to make a connection and nothing has worked so far. I have
Re: [FW-1] Setup of Remote VPN on R75+
There has to be a way to set Secure Client to connect at a port (or ports) other than port 80 and 443... That it requires those ports is pretty stupid/irresponsible... -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez Sent: Monday, September 24, 2012 11:23 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ AFAIK, you need TCP/443 when you enable visitor mode, which basically makes the clients establish and SSL conection first and encapsulates an IPSec inside that. It is meant to avoid connectivity issues for users located on public sites, where only http/https is allowed to restrict Internet use to browsing only. I would say, try other advanced connectivity features, such as TCP encapsulation. On Mon, Sep 24, 2012 at 10:08 AM, Nathan Hawkins na...@thfcom.com wrote: fw ctl zdebug drop displays ALL drops...I need a way to further filter out the drops because there's too many drops to see the one(s) I want. fw ctl zdebug drop | grep myipaddress In the global properties there is no specific IKE property. All control connections are allowed First. Well, you use client encrypt in the action column in order to make remote access work...what do you suggest? set the user@at in the source, then restrict rule to apply only on remoteaccess community. (but it requires the policy to be moved to simplified mode). I think I read somewhere that Secure Client/Remote requires port 443 to be open on the firewall...which I don't understand why that would be a requirement when HTTPS is necessary for web server applications...anyway...is there a way to make Secure Client/Remote connect at a different port (I suspect so - how do you do so)? I don't like simplified mode...so how do you configure the rule policy for secure remote connections for traditional mode? Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Setup of Remote VPN on R75+
As said... it uses TCP/443 when you enable the feature called Visitor Mode. You can choose to use UDP or TCP encapsulation and that would make it work on other ports. On any case, I don't see how using a well used port would be stupid/irresponsible. On Wed, Sep 26, 2012 at 7:50 AM, Nathan Hawkins na...@thfcom.com wrote: There has to be a way to set Secure Client to connect at a port (or ports) other than port 80 and 443... That it requires those ports is pretty stupid/irresponsible... -Original Message- From: Mailing list for discussion of Firewall-1 [mailto: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez Sent: Monday, September 24, 2012 11:23 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ AFAIK, you need TCP/443 when you enable visitor mode, which basically makes the clients establish and SSL conection first and encapsulates an IPSec inside that. It is meant to avoid connectivity issues for users located on public sites, where only http/https is allowed to restrict Internet use to browsing only. I would say, try other advanced connectivity features, such as TCP encapsulation. On Mon, Sep 24, 2012 at 10:08 AM, Nathan Hawkins na...@thfcom.com wrote: fw ctl zdebug drop displays ALL drops...I need a way to further filter out the drops because there's too many drops to see the one(s) I want. fw ctl zdebug drop | grep myipaddress In the global properties there is no specific IKE property. All control connections are allowed First. Well, you use client encrypt in the action column in order to make remote access work...what do you suggest? set the user@at in the source, then restrict rule to apply only on remoteaccess community. (but it requires the policy to be moved to simplified mode). I think I read somewhere that Secure Client/Remote requires port 443 to be open on the firewall...which I don't understand why that would be a requirement when HTTPS is necessary for web server applications...anyway...is there a way to make Secure Client/Remote connect at a different port (I suspect so - how do you do so)? I don't like simplified mode...so how do you configure the rule policy for secure remote connections for traditional mode? Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Setup of Remote VPN on R75+
Because HTTP/HTTPS is used for web servers - almost exclusively. I cant believe that I'm supporting the only company on Earth who uses Checkpoint at the edge with web servers that need port 80 and 443 opened and NATed to them without the FW intercepting that traffic for Remote VPN connectivity. In R60-65 Remote Access VPN was initiated on ports other than 80/443 and it worked great...even for visitor mode... Okay. I'll disable visitor mode because its not necessary, but its still not connecting - so what now? -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez Sent: Wednesday, September 26, 2012 9:11 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ As said... it uses TCP/443 when you enable the feature called Visitor Mode. You can choose to use UDP or TCP encapsulation and that would make it work on other ports. On any case, I don't see how using a well used port would be stupid/irresponsible. On Wed, Sep 26, 2012 at 7:50 AM, Nathan Hawkins na...@thfcom.com wrote: There has to be a way to set Secure Client to connect at a port (or ports) other than port 80 and 443... That it requires those ports is pretty stupid/irresponsible... -Original Message- From: Mailing list for discussion of Firewall-1 [mailto: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez Sent: Monday, September 24, 2012 11:23 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ AFAIK, you need TCP/443 when you enable visitor mode, which basically makes the clients establish and SSL conection first and encapsulates an IPSec inside that. It is meant to avoid connectivity issues for users located on public sites, where only http/https is allowed to restrict Internet use to browsing only. I would say, try other advanced connectivity features, such as TCP encapsulation. On Mon, Sep 24, 2012 at 10:08 AM, Nathan Hawkins na...@thfcom.com wrote: fw ctl zdebug drop displays ALL drops...I need a way to further filter out the drops because there's too many drops to see the one(s) I want. fw ctl zdebug drop | grep myipaddress In the global properties there is no specific IKE property. All control connections are allowed First. Well, you use client encrypt in the action column in order to make remote access work...what do you suggest? set the user@at in the source, then restrict rule to apply only on remoteaccess community. (but it requires the policy to be moved to simplified mode). I think I read somewhere that Secure Client/Remote requires port 443 to be open on the firewall...which I don't understand why that would be a requirement when HTTPS is necessary for web server applications...anyway...is there a way to make Secure Client/Remote connect at a different port (I suspect so - how do you do so)? I don't like simplified mode...so how do you configure the rule policy for secure remote connections for traditional mode? Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow
Re: [FW-1] Setup of Remote VPN on R75+
Well, usually the Firewall public IP is not used to staticaly NAT web servers, so regularly this is not an issue... anyway. I have mentioned already that you could try using something else like TCP encapsulation, have you tried that?? So far you have not mentioned anything about the logs... have you checked them? What does it say for connection attempts from a test VPN client user? I see that before someone else explained to you how to use debugging with a filter to check for drops on the firewall, have you tried that? Have you read the VPN Admin Guide pdf document? On Wed, Sep 26, 2012 at 8:34 AM, Nathan Hawkins na...@thfcom.com wrote: Because HTTP/HTTPS is used for web servers - almost exclusively. I cant believe that I'm supporting the only company on Earth who uses Checkpoint at the edge with web servers that need port 80 and 443 opened and NATed to them without the FW intercepting that traffic for Remote VPN connectivity. In R60-65 Remote Access VPN was initiated on ports other than 80/443 and it worked great...even for visitor mode... Okay. I'll disable visitor mode because its not necessary, but its still not connecting - so what now? -Original Message- From: Mailing list for discussion of Firewall-1 [mailto: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez Sent: Wednesday, September 26, 2012 9:11 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ As said... it uses TCP/443 when you enable the feature called Visitor Mode. You can choose to use UDP or TCP encapsulation and that would make it work on other ports. On any case, I don't see how using a well used port would be stupid/irresponsible. On Wed, Sep 26, 2012 at 7:50 AM, Nathan Hawkins na...@thfcom.com wrote: There has to be a way to set Secure Client to connect at a port (or ports) other than port 80 and 443... That it requires those ports is pretty stupid/irresponsible... -Original Message- From: Mailing list for discussion of Firewall-1 [mailto: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez Sent: Monday, September 24, 2012 11:23 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ AFAIK, you need TCP/443 when you enable visitor mode, which basically makes the clients establish and SSL conection first and encapsulates an IPSec inside that. It is meant to avoid connectivity issues for users located on public sites, where only http/https is allowed to restrict Internet use to browsing only. I would say, try other advanced connectivity features, such as TCP encapsulation. On Mon, Sep 24, 2012 at 10:08 AM, Nathan Hawkins na...@thfcom.com wrote: fw ctl zdebug drop displays ALL drops...I need a way to further filter out the drops because there's too many drops to see the one(s) I want. fw ctl zdebug drop | grep myipaddress In the global properties there is no specific IKE property. All control connections are allowed First. Well, you use client encrypt in the action column in order to make remote access work...what do you suggest? set the user@at in the source, then restrict rule to apply only on remoteaccess community. (but it requires the policy to be moved to simplified mode). I think I read somewhere that Secure Client/Remote requires port 443 to be open on the firewall...which I don't understand why that would be a requirement when HTTPS is necessary for web server applications...anyway...is there a way to make Secure Client/Remote connect at a different port (I suspect so - how do you do so)? I don't like simplified mode...so how do you configure the rule policy for secure remote connections for traditional mode? Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html
Re: [FW-1] Setup of Remote VPN on R75+
Global Properties Remotes Access VPN Auth and Ecryp IKE over TCP - here you enable support for TCP encapsulation on the gateway Gateway Properties IPSec VPN Remote Access Support NAT Traversal -- Here you enable support for a propietary UDP Encapsulation on the gateway. Now, on the client side you must enable these also, otherwise the client won't try to use them when trying to establish VPN. Now, I unfortunately don't have handy an installation of the new versions of the VPN clients, but on the old ones, I remember you go to Settings Properties of the Site Advanced and you configured there the use of TCP and/or UDP Encap (also enable/disable Visitor mode). If you are still seeing HTTPS from the client IP and destined to the firewall on your logs, then your client is still trying to use Visitor Mode. Finally, you will find more help from people, forums and documentation if you turn to simplified VPN mode, traditional mode is pretty old. On Wed, Sep 26, 2012 at 10:12 AM, Nathan Hawkins na...@thfcom.com wrote: Actually I see the FW external IP used frequently, but that's not relevant here. Please explain where I would involve TCP encapsulation - I've looked around for anything that would re-designate a way for Secure Client to make a connection and nothing has worked so far. I have mentioned (at least once, in my initial post) that in Logviewer all I see are accepts for HTTP/HTTPS. I have also explained in a recent post that I don't see any drops at the console (CLI) for the SIP of where the remote client is coming from. Yes - I have read the Admin Guide for R75.20 - several times actually... Its not that helpful... -Original Message- From: Mailing list for discussion of Firewall-1 [mailto: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez Sent: Wednesday, September 26, 2012 10:12 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ Well, usually the Firewall public IP is not used to staticaly NAT web servers, so regularly this is not an issue... anyway. I have mentioned already that you could try using something else like TCP encapsulation, have you tried that?? So far you have not mentioned anything about the logs... have you checked them? What does it say for connection attempts from a test VPN client user? I see that before someone else explained to you how to use debugging with a filter to check for drops on the firewall, have you tried that? Have you read the VPN Admin Guide pdf document? On Wed, Sep 26, 2012 at 8:34 AM, Nathan Hawkins na...@thfcom.com wrote: Because HTTP/HTTPS is used for web servers - almost exclusively. I cant believe that I'm supporting the only company on Earth who uses Checkpoint at the edge with web servers that need port 80 and 443 opened and NATed to them without the FW intercepting that traffic for Remote VPN connectivity. In R60-65 Remote Access VPN was initiated on ports other than 80/443 and it worked great...even for visitor mode... Okay. I'll disable visitor mode because its not necessary, but its still not connecting - so what now? -Original Message- From: Mailing list for discussion of Firewall-1 [mailto: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez Sent: Wednesday, September 26, 2012 9:11 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ As said... it uses TCP/443 when you enable the feature called Visitor Mode. You can choose to use UDP or TCP encapsulation and that would make it work on other ports. On any case, I don't see how using a well used port would be stupid/irresponsible. On Wed, Sep 26, 2012 at 7:50 AM, Nathan Hawkins na...@thfcom.com wrote: There has to be a way to set Secure Client to connect at a port (or ports) other than port 80 and 443... That it requires those ports is pretty stupid/irresponsible... -Original Message- From: Mailing list for discussion of Firewall-1 [mailto: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez Sent: Monday, September 24, 2012 11:23 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ AFAIK, you need TCP/443 when you enable visitor mode, which basically makes the clients establish and SSL conection first and encapsulates an IPSec inside that. It is meant to avoid connectivity issues for users located on public sites, where only http/https is allowed to restrict Internet use to browsing only. I would say, try other advanced connectivity features, such as TCP encapsulation. On Mon, Sep 24, 2012 at 10:08 AM, Nathan Hawkins na...@thfcom.com wrote: fw ctl zdebug drop displays ALL drops...I need a way to further filter out the drops because there's too many drops to see the one(s) I want
Re: [FW-1] Setup of Remote VPN on R75+
All of that was already set (checked) and applied to the GW On the Client (E75.20 is currently installed), what I see at the FW and other logs I'm using to troubleshoot this is only HTTP/HTTPS connections and I cant configure anything else because when I go to create a new site it fails and won't continue to configure anything. All I get is a back / cancel / help (which brings up the help file) button. If I must, I'll change to simplified mode, but I like traditional because I don't like anything to be automatic. I like complete control over everything. I appreciate your help! I hope we can fix this... -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez Sent: Wednesday, September 26, 2012 12:14 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ Global Properties Remotes Access VPN Auth and Ecryp IKE over TCP - here you enable support for TCP encapsulation on the gateway Gateway Properties IPSec VPN Remote Access Support NAT Traversal -- Here you enable support for a propietary UDP Encapsulation on -- the gateway. Now, on the client side you must enable these also, otherwise the client won't try to use them when trying to establish VPN. Now, I unfortunately don't have handy an installation of the new versions of the VPN clients, but on the old ones, I remember you go to Settings Properties of the Site Advanced and you configured there the use of TCP and/or UDP Encap (also enable/disable Visitor mode). If you are still seeing HTTPS from the client IP and destined to the firewall on your logs, then your client is still trying to use Visitor Mode. Finally, you will find more help from people, forums and documentation if you turn to simplified VPN mode, traditional mode is pretty old. On Wed, Sep 26, 2012 at 10:12 AM, Nathan Hawkins na...@thfcom.com wrote: Actually I see the FW external IP used frequently, but that's not relevant here. Please explain where I would involve TCP encapsulation - I've looked around for anything that would re-designate a way for Secure Client to make a connection and nothing has worked so far. I have mentioned (at least once, in my initial post) that in Logviewer all I see are accepts for HTTP/HTTPS. I have also explained in a recent post that I don't see any drops at the console (CLI) for the SIP of where the remote client is coming from. Yes - I have read the Admin Guide for R75.20 - several times actually... Its not that helpful... -Original Message- From: Mailing list for discussion of Firewall-1 [mailto: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez Sent: Wednesday, September 26, 2012 10:12 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ Well, usually the Firewall public IP is not used to staticaly NAT web servers, so regularly this is not an issue... anyway. I have mentioned already that you could try using something else like TCP encapsulation, have you tried that?? So far you have not mentioned anything about the logs... have you checked them? What does it say for connection attempts from a test VPN client user? I see that before someone else explained to you how to use debugging with a filter to check for drops on the firewall, have you tried that? Have you read the VPN Admin Guide pdf document? On Wed, Sep 26, 2012 at 8:34 AM, Nathan Hawkins na...@thfcom.com wrote: Because HTTP/HTTPS is used for web servers - almost exclusively. I cant believe that I'm supporting the only company on Earth who uses Checkpoint at the edge with web servers that need port 80 and 443 opened and NATed to them without the FW intercepting that traffic for Remote VPN connectivity. In R60-65 Remote Access VPN was initiated on ports other than 80/443 and it worked great...even for visitor mode... Okay. I'll disable visitor mode because its not necessary, but its still not connecting - so what now? -Original Message- From: Mailing list for discussion of Firewall-1 [mailto: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez Sent: Wednesday, September 26, 2012 9:11 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ As said... it uses TCP/443 when you enable the feature called Visitor Mode. You can choose to use UDP or TCP encapsulation and that would make it work on other ports. On any case, I don't see how using a well used port would be stupid/irresponsible. On Wed, Sep 26, 2012 at 7:50 AM, Nathan Hawkins na...@thfcom.com wrote: There has to be a way to set Secure Client to connect at a port (or ports) other than port 80 and 443... That it requires those ports is pretty stupid/irresponsible... -Original
Re: [FW-1] Setup of Remote VPN on R75+
The E7x clients do operate a bit differently than the older R60 IPSEC client, I think the initial https connection from the client are for auth purposes, a change from the older hybrid mode auth. Even though no longer supported can you connect with the R60 client?, unless using visitor mode it will do native IPSEC with no SSL? Make sure your 443 port is not being stepped on by anything else, also have the proper license(s) in place, office mode was a freebie for the R60 client but no longer the case for the E7x client, which is a shame for such a needed feature. You still have complete control using simplified mode, it is just a mode to simplify the configuration of multiple VPN sites and a few other things, once you get over the sticker shock you will see simplified mode is the way to go. -GS From: Nathan Hawkins na...@thfcom.com To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Wednesday, September 26, 2012 2:23 PM Subject: Re: [FW-1] Setup of Remote VPN on R75+ All of that was already set (checked) and applied to the GW On the Client (E75.20 is currently installed), what I see at the FW and other logs I'm using to troubleshoot this is only HTTP/HTTPS connections and I cant configure anything else because when I go to create a new site it fails and won't continue to configure anything. All I get is a back / cancel / help (which brings up the help file) button. If I must, I'll change to simplified mode, but I like traditional because I don't like anything to be automatic. I like complete control over everything. I appreciate your help! I hope we can fix this... -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez Sent: Wednesday, September 26, 2012 12:14 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ Global Properties Remotes Access VPN Auth and Ecryp IKE over TCP - here you enable support for TCP encapsulation on the gateway Gateway Properties IPSec VPN Remote Access Support NAT Traversal -- Here you enable support for a propietary UDP Encapsulation on -- the gateway. Now, on the client side you must enable these also, otherwise the client won't try to use them when trying to establish VPN. Now, I unfortunately don't have handy an installation of the new versions of the VPN clients, but on the old ones, I remember you go to Settings Properties of the Site Advanced and you configured there the use of TCP and/or UDP Encap (also enable/disable Visitor mode). If you are still seeing HTTPS from the client IP and destined to the firewall on your logs, then your client is still trying to use Visitor Mode. Finally, you will find more help from people, forums and documentation if you turn to simplified VPN mode, traditional mode is pretty old. On Wed, Sep 26, 2012 at 10:12 AM, Nathan Hawkins na...@thfcom.com wrote: Actually I see the FW external IP used frequently, but that's not relevant here. Please explain where I would involve TCP encapsulation - I've looked around for anything that would re-designate a way for Secure Client to make a connection and nothing has worked so far. I have mentioned (at least once, in my initial post) that in Logviewer all I see are accepts for HTTP/HTTPS. I have also explained in a recent post that I don't see any drops at the console (CLI) for the SIP of where the remote client is coming from. Yes - I have read the Admin Guide for R75.20 - several times actually... Its not that helpful... -Original Message- From: Mailing list for discussion of Firewall-1 [mailto: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez Sent: Wednesday, September 26, 2012 10:12 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ Well, usually the Firewall public IP is not used to staticaly NAT web servers, so regularly this is not an issue... anyway. I have mentioned already that you could try using something else like TCP encapsulation, have you tried that?? So far you have not mentioned anything about the logs... have you checked them? What does it say for connection attempts from a test VPN client user? I see that before someone else explained to you how to use debugging with a filter to check for drops on the firewall, have you tried that? Have you read the VPN Admin Guide pdf document? On Wed, Sep 26, 2012 at 8:34 AM, Nathan Hawkins na...@thfcom.com wrote: Because HTTP/HTTPS is used for web servers - almost exclusively. I cant believe that I'm supporting the only company on Earth who uses Checkpoint at the edge with web servers that need port 80 and 443 opened and NATed to them without the FW intercepting that traffic for Remote VPN connectivity. In R60-65 Remote Access VPN was initiated on ports other
Re: [FW-1] Setup of Remote VPN on R75+
fw ctl zdebug drop displays ALL drops...I need a way to further filter out the drops because there's too many drops to see the one(s) I want. fw ctl zdebug drop | grep myipaddress In the global properties there is no specific IKE property. All control connections are allowed First. Well, you use client encrypt in the action column in order to make remote access work...what do you suggest? set the user@at in the source, then restrict rule to apply only on remoteaccess community. (but it requires the policy to be moved to simplified mode). I think I read somewhere that Secure Client/Remote requires port 443 to be open on the firewall...which I don't understand why that would be a requirement when HTTPS is necessary for web server applications...anyway...is there a way to make Secure Client/Remote connect at a different port (I suspect so - how do you do so)? I don't like simplified mode...so how do you configure the rule policy for secure remote connections for traditional mode? Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Setup of Remote VPN on R75+
AFAIK, you need TCP/443 when you enable visitor mode, which basically makes the clients establish and SSL conection first and encapsulates an IPSec inside that. It is meant to avoid connectivity issues for users located on public sites, where only http/https is allowed to restrict Internet use to browsing only. I would say, try other advanced connectivity features, such as TCP encapsulation. On Mon, Sep 24, 2012 at 10:08 AM, Nathan Hawkins na...@thfcom.com wrote: fw ctl zdebug drop displays ALL drops...I need a way to further filter out the drops because there's too many drops to see the one(s) I want. fw ctl zdebug drop | grep myipaddress In the global properties there is no specific IKE property. All control connections are allowed First. Well, you use client encrypt in the action column in order to make remote access work...what do you suggest? set the user@at in the source, then restrict rule to apply only on remoteaccess community. (but it requires the policy to be moved to simplified mode). I think I read somewhere that Secure Client/Remote requires port 443 to be open on the firewall...which I don't understand why that would be a requirement when HTTPS is necessary for web server applications...anyway...is there a way to make Secure Client/Remote connect at a different port (I suspect so - how do you do so)? I don't like simplified mode...so how do you configure the rule policy for secure remote connections for traditional mode? Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Setup of Remote VPN on R75+
Le 20/09/2012 8:47, Nathan Hawkins a écrit : fw ctl zdebug drop displays ALL drops...I need a way to further filter out the drops because there's too many drops to see the one(s) I want. fw ctl zdebug drop | grep myipaddress In the global properties there is no specific IKE property. All control connections are allowed First. Well, you use client encrypt in the action column in order to make remote access work...what do you suggest? set the user@at in the source, then restrict rule to apply only on remoteaccess community. (but it requires the policy to be moved to simplified mode). Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Setup of Remote VPN on R75+
Le 20/09/2012 5:26, Nathan Hawkins a écrit : Ok...so I've setup remote VPNs before...but on earlier versions of Checkpoint. I'm not sure what I'm doing wrong, but the client wont connect. I have an R75.20 GW and Mgt Console. Under the IPSec VPN tab of the GW I have MyIntranet and RemoteAccess added to the communities. Under the traditional Mode button everything is checked... Under the Authentication tab I have Username and Password ticked. Under Remote Access tab I have the Support NAT traversal mechanism (UDP encapsulation) checked with the VPN1_IPSEC_encapsulation object selected. Everything else (I think) is default. Under the policy I have a rule created with AllUsers@Any / Any / Any / Client Encrypt / Log / FW created at the very top of the rule base. When I try to connect it flat out fails to connect (Reason is Site is not responding)...s what the heck is not configured correctly?! check the drops using fw ctl zdebug drop. do you have ike allowed in global properties - implied rules ? I'm quite surprised you use client encrypt for your rule. Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway.
Re: [FW-1] Setup of Remote VPN on R75+
Ok...so I've setup remote VPNs before...but on earlier versions of Checkpoint. I'm not sure what I'm doing wrong, but the client wont connect. I have an R75.20 GW and Mgt Console. Under the IPSec VPN tab of the GW I have MyIntranet and RemoteAccess added to the communities. Under the traditional Mode button everything is checked... Under the Authentication tab I have Username and Password ticked. Under Remote Access tab I have the Support NAT traversal mechanism (UDP encapsulation) checked with the VPN1_IPSEC_encapsulation object selected. Everything else (I think) is default. Under the policy I have a rule created with AllUsers@Any / Any / Any / Client Encrypt / Log / FW created at the very top of the rule base. When I try to connect it flat out fails to connect (Reason is Site is not responding)...s what the heck is not configured correctly?! check the drops using fw ctl zdebug drop. do you have ike allowed in global properties - implied rules ? I'm quite surprised you use client encrypt for your rule. fw ctl zdebug drop displays ALL drops...I need a way to further filter out the drops because there's too many drops to see the one(s) I want. In the global properties there is no specific IKE property. All control connections are allowed First. Well, you use client encrypt in the action column in order to make remote access work...what do you suggest? Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
