Hi all,

I'm posting because I was trying to do the VPN thing from my work computer to my Z100G home network. I've talked to the security officer to enable the following ports:

Nombre: CheckPoint Autentication (IKE)
Port: 500
Type: UDP
Direction: Send Receive

Nombre: CheckPoint Encryption (UDP Encapsulation)
Port: 2746
Type: UDP
Direction: Send Receive

Nombre: CheckPoint Encryption (UDP Encapsulation for NAT)
Port: 4500
Type: UDP
Direction: Send Receive

Nombre: CheckPoint Topology Update
Port: 264
Type: TCP
Direction: Outbound

Nombre: CheckPoint Topology Update
Port: 256
Type: TCP
Direction: Outbound


Did I miss something?

I try the VPN from my bro' home network without any inconvenient so I know the VPN works, but from my work network.

Any advice? Thanks in advnace

This message has been edited. Last edited by: simonuca,

Please guys... any advice? pdf, link or whatever?

This article assumes the reader is familiar with the basic concepts and scenario of Remote Access VPN installation, as described in the Creating a Remote Access VPN Using SecuRemote/SecureClient Guide.

In case the SeuRemote/SecureClient installed under Windows XP with SP2...

* In case the SecuRemote/SecureClient software installed under Windows XP with SP2, Turn off the internal Windows firewall, or make sure that it does not block UDP packets.

In case the VPN client is installed on a computer behind a NAT device...

* In case the SecuRemote/SecureClient software installed on a computer behind a NAT device, it is recommended to use the Force UDP Encapsulation setting in the VPN client. For instructions click here.
* Make sure that the VPN client network IP address range and the VPN gateway's network IP range are not overlapping.

Modify MTU settings on the VPN client

SecuRemote/SecureClient software enables you to modify the MTU value for the virtual connection only. In order to change the MTU values run the MTUadjust.exe tool from C:\Program Files\CheckPoint\SecureRemote\Bin.

Check the VPN gateway settings

* Make sure that the VPN gateway is configured properly as described in the Creating a Remote Access VPN Using SecuRemote/SecureClient Guide.
* Make sure that the VPN gateway is configured with a public IP address. In case the VPN gateway is behind a NAT device, the remote access VPN connection will not work.

In case the VPN server is installed behind a NAT device...

If possible, consult with your ISP about ways to assign the security appliance with a valid IP. Otherwise, do the following:

* Make sure to open the following ports and traffic in the NAT device:
UDP 500 (IKE)
TCP 264 (Topology download)
UDP 2746 (UDP encapsulation)
UDP 259 (Check Point RDP)
UDP 4500 (NAT-T)
IP Protocol 50 (AKA ESP or IPSEC Passthru)
*
Use the command line interface and type the following command:
set device behindnat <IP>
Where IP is the public IP address of the NAT device. To access the command line interface Surf to http://my.firewall and Click on Setup>Tools>Command.

Note: this command line is supported with firmware 5.0.57 and subsequent versions.