Checkpoint SecureRemote VPN over Netgear DG834

Hi all

Another newbie 834 question.
I would like to run a VPN into my workplace and connect to my desktop.
At work we have CheckPoint Firewall1 software and to get through to that I
have installed SecureRemote software on my laptop.
The connectivity works fine across a dial up connection, but obviously speed
is not acceptable
I don't get error messages when syncing to the works router with that
software.
So now the laptop is part of a home network, accessing the internet via the
netgear DG834 router.
The secure remote software seems to launch and connect OK, but attempting to
remote desktop to my work PC results in the 800 windows error message being
displayed.

My understanding is that the Checkpoint software at the workplace and the
SecureRemote software at home represent the "end points" of the VPN tunnel.
Looking at the reference manual for the router/firewall, the VPN setup
instructions seem to be using the router/firewall as the tunnel end point.
All I think I need is for the firewall settings to allow communication
between the SecureRemote software at home and the CheckPoint software at
work.

Can anyone clarify this for me and point me towards the correct setup
procedure for this please?

TIA

Phil

"TheScullster" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi all
>
> Another newbie 834 question.
> I would like to run a VPN into my workplace and connect to my desktop.
> At work we have CheckPoint Firewall1 software and to get through to that I
> have installed SecureRemote software on my laptop.
> The connectivity works fine across a dial up connection, but obviously
> speed is not acceptable
> I don't get error messages when syncing to the works router with that
> software.
> So now the laptop is part of a home network, accessing the internet via
> the netgear DG834 router.
> The secure remote software seems to launch and connect OK, but attempting
> to remote desktop to my work PC results in the 800 windows error message
> being displayed.
>
> My understanding is that the Checkpoint software at the workplace and the
> SecureRemote software at home represent the "end points" of the VPN
> tunnel.
> Looking at the reference manual for the router/firewall, the VPN setup
> instructions seem to be using the router/firewall as the tunnel end point.
> All I think I need is for the firewall settings to allow communication
> between the SecureRemote software at home and the CheckPoint software at
> work.
>
> Can anyone clarify this for me and point me towards the correct setup
> procedure for this please?

Some general points that may help:

The VPN to the CheckPoint firewall should rely only on the client software
on the laptop. However, it is possible that it has been set up at the
workplace end with some security parameter which absolutely relies on the
dial-up connection; for example your dial-up might have a static IP
address - your worklplace IT staff should be able to help if this is the
case.

The router you have takes no part in managing the VPN - it simply carries
the VPN traffic. However, some ISPs - notably the cheaper "domestic"
services - do block or slow down the VPN traffic. I think this is because
they regard the VPN as "commercial" and therefore not compatible with their
"domestic" service. It may be that the Netgear router blocks this traffic.

In principle it is possible to configure the local router as the VPN client;
which provides a quite different arrangement, where the whole of your local
network is connected to your workplace network. This would be necessary
where you required several computers at your home to connect to the
workplace. I use Vigor routers for this sort of LAN-to-LAN configuration;
others will be able to say whether such a configuration is possible with a
Netgear. You would not then need any client software running on the local
computers.

--
Graham J

"Graham" wrote

>
> Some general points that may help:
>
> The VPN to the CheckPoint firewall should rely only on the client software
> on the laptop. However, it is possible that it has been set up at the
> workplace end with some security parameter which absolutely relies on the
> dial-up connection; for example your dial-up might have a static IP
> address - your worklplace IT staff should be able to help if this is the
> case.

Pretty sure that this is not the case!

> The router you have takes no part in managing the VPN - it simply carries
> the VPN traffic. However, some ISPs - notably the cheaper "domestic"
> services - do block or slow down the VPN traffic. I think this is because
> they regard the VPN as "commercial" and therefore not compatible with
> their "domestic" service. It may be that the Netgear router blocks this
> traffic.
>

I'll have to check up on this.
Being in Hull, we have one domestic ISP only - Kingston Communications, so
options are limited to a monopoly of 1.

> In principle it is possible to configure the local router as the VPN
> client; which provides a quite different arrangement, where the whole of
> your local network is connected to your workplace network. This would be
> necessary where you required several computers at your home to connect to
> the workplace. I use Vigor routers for this sort of LAN-to-LAN
> configuration; others will be able to say whether such a configuration is
> possible with a Netgear. You would not then need any client software
> running on the local computers.
>
I believe the Netgear can be configured in that way, but would rather keep
the networks separate to avoid trouble from (my own) meddling kids.

Thanks Graham

Phil

This site is an excellent resource for all things networking and VPN

http://www.chicagotech.net/

Error 800 is usually a firewall problem

I have problems with a Speedtouch 780WL which spontaneously and sporadically
decides not to handle IP Protocol 47 (GRE)

On Mon, 13 Aug 2007 14:40:12 +0100, in uk.telecom.broadband , "Graham"
<(E-Mail Removed)> wrote:

>The router you have takes no part in managing the VPN - it simply carries
>the VPN traffic.

Not entirely - depending on how the VPN works, you are very likely to
have to set up some port forwarding on the router to send the VPN
traffic to and from your PC. Again your office IT team should be able
to explain what is required. I would not recommend doing this without
their agreement as you may be in breach of company security
regulations.

--
Mark McIntyre

"Mark McIntyre" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Mon, 13 Aug 2007 14:40:12 +0100, in uk.telecom.broadband , "Graham"
> <(E-Mail Removed)> wrote:
>
>>The router you have takes no part in managing the VPN - it simply carries
>>the VPN traffic.
>
> Not entirely - depending on how the VPN works, you are very likely to
> have to set up some port forwarding on the router to send the VPN
> traffic to and from your PC. Again your office IT team should be able
> to explain what is required. I would not recommend doing this without
> their agreement as you may be in breach of company security
> regulations.

Exactly my point - the router does not manage the VPN, it simply carries the
VPN traffic. As Mark suggests, you might have to open specific ports on the
router to achieve this.

--
Graham J

> "Mark McIntyre" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>
>> On Mon, 13 Aug 2007 14:40:12 +0100, in uk.telecom.broadband ,
>> "Graham" <(E-Mail Removed)> wrote:
>>
>>> The router you have takes no part in managing the VPN - it simply
>>> carries the VPN traffic.
>>>
>> Not entirely - depending on how the VPN works, you are very likely to
>> have to set up some port forwarding on the router to send the VPN
>> traffic to and from your PC. Again your office IT team should be able
>> to explain what is required. I would not recommend doing this without
>> their agreement as you may be in breach of company security
>> regulations.
>>
> Exactly my point - the router does not manage the VPN, it simply
> carries the VPN traffic. As Mark suggests, you might have to open
> specific ports on the router to achieve this.

I use Secure Client for work and it doesn't require you to forward ports.
Although whether that's down to the configuration or not I don't know.

Kev