Ipsec Tunnel through Checkpoint FW-1

uoktay · ‎05-07-2001

Hi,

We are trying to establish an ipsec tunnel between vpn 3000 and it's client which is behind a checkpoint. Checkpoint is making port address translation. Ipsec through nat is configured on the concentrator( udp port 10000). Though we configured to permit the firewall to pass any to any traffic we could not establish the connection. Does anyone have experience tunneling ipsec traffic through FW-1?

(I personally have configured and seen 2 clients (behind a cisco router making pat)that have established ipsec tunnels at the same time with the concentrator , so i don't think that the point is pat on the checkpoint)

i would appreciate any help, thanks.

murabi · ‎05-10-2001

IPSec doesn’t work with PAT or NAT overload (Cisco, Checkpoint or any other product). You must have one-to-one translations.

uoktay · ‎05-18-2001

Actually it worked! we could establish ipsec tunnels with more than 1 clients behind the checkpoint. I don't know what your reference point is in saying that it does not work, but actually what NAT transparency does is this. It uses UDP to transport ESP packets(prot 50) so that the box which makes nat or pat makes a translation and the box at the other end of the tunnel(conc. 3005 in our case) can take the packets sent to it's udp port. Ýf Nat Transparency was not used it would drop the packet which was targeted to one of it's ports which it normally filters.

The reason for it's not working at the beginning was a misunderstanding because i was not the one conf. checkpoint.