1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Netscreen or Checkpoint VPN client issues behind RV042

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by jfeely69, Aug 4, 2006.

  1. jfeely69

    jfeely69 LI Guru Member

    Has anyone experienced issues running a VPN client from either Netscreen or Checkpoint behind an RV042 connected to Time Warner Cable Modem? I have an issue that I can establish a connection to the remote Netscreen or Qheckpoint hardware, but the tunnel never establishes to route traffic out of. To check settings, I have removed the RV042 from the system and went direct to the cable modem. I can establish a full tunnel this way. Once returned behind the RV042, nothing. I tried installing the clients on multiple machines to rule out software conflicts, and received the same results. I have a feeling it is an issue with NAT on the unit. Once the first phase completes, the router does not know where to pass the traffic back to the client on the PC.

    Has anyone else run into an issue like this and what did you do to work aorund it.

    By the way, Cisco SSL, Cisco Client, & Nortel Clients all work without issues, but they use different ports for establishing IPSEC tunnels.
     
  2. Toxic

    Toxic Administrator Staff Member

    What ports do Netscreen / Checkpoint use? perhaps a port needs to be open to allow the VPN tunnel access?

    can the RV042 and the other Hardware not create the VPN tunnel without the client software behind the RV042?
     
  3. jfeely69

    jfeely69 LI Guru Member

    I have to use the Client software for connecting to customer locations. I can not establish a hardware to hardware VPN for security reasons.

    As for ports, when I did a Sniffer trace, I see UDP 18234, 4500 & 2100-2799 being used for a good established connection. Phase 1 connectivity uses 4500 from the far end device to connect with my client software. Phase 2 uses 18234 for the far end device. I see UDP bidirectional traffic on both phases.
    When behind the RV042, I see Phase 1 work fine, but phase 2 only has outbound traffic on the client side. No return traffic from the far-end. Looks to be some sort of NAT issue where the router does not know where to send inbound traffic. I established a forwarding rule that opened all of those ports (stated above) to pass direct to my internal private IP. That did not work. I shut off all Firewall resources, that did not work. I have the latest posted Beta code running. Still no change.

    Is there an IOS type interface that I can do CLI diags on the router? I don't see any blocked traffic in the logs, but they are limited to SPI blocks not NAT drops.
     
  4. Toxic

    Toxic Administrator Staff Member

  5. jfeely69

    jfeely69 LI Guru Member

    Not a bad command line interface. I just wish it looked more like Cisco IOS. Unfortunately, I could not find a command to help remap NAT routes for certain requested ports or situations.

    So the original part of this querry goes back out again. Has anyone else tried to use Netscreen or Checkpoint Client VPN software on their PC behind the RV042 with any luck and what did you do to make it work?
     
  6. Toxic

    Toxic Administrator Staff Member

    this is long but shows all available commands afaik

    RV042>
    exit
    die
    ps
    rg_conf_print
    rg_conf_set
    rg_conf_set_obscure
    rg_conf_del
    rg_conf_ram_set
    rg_conf_ram_print
    reconf
    entity_close
    host
    rgpf_config
    rgpf_info
    rgpf_info2
    fw_set_age
    flash_commit
    restore_default
    reboot
    log_lev_on
    log_lev_off
    exec
    rmt_upd
    rmt_upd_wget_close
    rg_ifconfig
    cat
    shell
    cat_log
    bridge_info
    flash_layout
    flash_erase
    flash_dump
    bset
    ifconfig
    ping
    nk_ip
    monlink
    monlinkend
    wandown
    wanup
    lbtrafficup
    lbtrafficdown
    setequalize
    delequalize
    addinf
    delinf
    activewaninf
    teravpn
    addvpn
    addvpn_ip_fqdn
    switch_reset_set
    switch_stat_get
    read_sw_reent
    mem_alloc
    mem_alloc_free
    nk_tag_vlan
    nk_vlan_all
    boot
    load
    8021x_open
    8021x_close
    8021x_status
    8021x_set_mode
    8021x_mac_auth
    nk_factory_print
    nk_factory_set
    ver
    help
    etask_list_dump
    RV042>

    RV042> shell
    Returned 0
    RV042>

    BusyBox v0.50 (2006.06.08-12:45+0000) Built-in shell (lash)
    Enter 'help' for a list of built-in commands.

    / #
    _pluto_adns arp bpalogin busybox
    cat chgrp chmod chown
    cp date df du
    echo eroute grep gunzip
    gzip head ifconfig init
    insmod kill killall klipsdebug
    ln ls lsmod main_task
    mkdir more mount mv
    ping pkcs_request pluto pppd
    pptp pptp_callmgr pptpctrl pptpd
    ps pwd qos_rule_set ranbits
    rm rmdir rmmod route
    rsasigkey sh sort spi
    spigrp stty stunnel sync
    tail tar tc tftp
    tncfg touch umount usleep
    whack zcat
    / #
     
  7. nlagalle

    nlagalle LI Guru Member

Share This Page