RE: VPN Outbound
- From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 8 Feb 2005 22:21:34 +0100
Hi Thomas,
First of all thanks for the complements on my article :-)
Personaly I have no experience with Checkpoint NG. However, for the previous
version 'FW-1 4.X' you should have the following rules:
1) PPTP
-------
Source,Destination,Service,Action,Track,Time,Install
Any,VPN-Gateway,PPTP,accept,Long,Any,Gateways
VPN-Gateway,Any,PPTP,accept,Long,Any,Gateways
So, you need two rules!
2) IPSec NAT-T
--------------
Source,Destination,Service,Action,Track,Time,Install
Any,VPN-Gateway,IKE and NAT-T,accept,Long,Any,Gateways
The service IKE is UDP port 500 and Service NAT-T is UDP port 4500 or
whatever UDP port is used.
HTH,
Stefaan
________________________________
From: Thomas P. Endter [mailto:tendter@xxxxxxxxxxx]
Sent: dinsdag 8 februari 2005 20:41
To: [ISAserver.org Discussion List]
Subject: [isalist] VPN Outbound
http://www.ISAserver.org
Hello,
My thanks go out to Stefaan Pouseele for his great article about allowing
IPSEC traffic through the ISA server. It worked so well that now I'm trying
to have my Checkpoint NG with Application Intelligence (R55) 091 do the
same. Stefaan's article showed clearly how to pass the SecureClient traffic
through the ISA. I would like to pass the Windows VPN client pptp and then
IPSEC traffic through my office's checkpoint to my ISA 2004 server at home.
The CP web site sucks and there doesn't seem to be a web site like this one
for that product, so please don't flame me for asking a CP question in this
forum. I tried my best to convince the boss to go with the ISA server but he
insisted on the CP.
I thought I'd start with passing pptp traffic and the trying the IPSEC NAT-T
once I got the pptp to pass. For the pptp I've allowed tcp 1723 and gre
protocol 47. The ms vpn client gets as far as verifying the
username/password and then the ms client reports that the remote system
didn't responded. The cp does not log any rejects or drops as it relates to
the connection. What other ports do I need oped to allow this traffic to
pass?
Thanks,
Thomas P. Endter
Information Technology Manager
ChildNet
"To protect Broward's abused, neglected and abandoned children"
1400 West Commercial Blvd, 2nd Floor
Ft. Lauderdale, FL 33309
(954) 557-6597 Phone
(954) 202-3897 Fax
Other related posts:
