*** HELP: Windows XP VPN Client behind firewall

[J.H]

Hi there,

We have very strang situation that:

Our network is behind Checkpoint firewall
The network behind the firewall is also public IPs
We have all routing working properly for the network behind the firewall

We have policy that "Any' service request for outgoing will be accepted on
the Firewall
Except we block all incoming request on any service, ports --> Here comes
the problem:

Situation that:

Windows XP/2000 VPN Client on the network behind firewall trying to connect
to an
Internet Microsoft 2000/2003 VPN server, the connection is timed out with
619/721 code!!

BUT if we allow "All' incoming request to the network behind the firewall,
the Windows XP/2000 VPN
client is able to establish the connection to the MSFT 2000/2003 VPN server

Question:
What the incoming port should be opened for establishing the VPN Client
behind the firewall to
talk with Internet VPN server? It seems to me that VPN server was trying to
responding back
the VPN Client but it was blocked by the firewall in front of VPN client!!!

Help!!

Thanks,
J.H

 

[Bill Grant]

If you are using PPTP, communication is on tcp port 1723. The encrypted
data is in a packet with a GRE header, so you will get an error 721 if your
firewall blocks this protocol (which is IP protocol 47).

 

[J.H]

Hi Bill,

That is right Thanks for your response!!!
I found that the CheckPoint Firewall eventually does not bypass any services
& port
at all incoming request when a VPN client behidn it trying to connect an
Internet VPN Server (MSFT 2K/2k3) !!! Except if we use the (example, tested)
Linksys DSL/Router, the linksys can bypass the protocol 47 for incoming
request to the VPN client behind a firewall.

I also found that for a 'very strict firewall' such as CheckPoint FW-1 VPN,
there should be a policy
allowed incoming access for the MSFT VPN server into the network behind
Firewall with GRE ip_p = 47
It will then work properly

Thanks again for your post that shared your experience with us!!

Regards,
J.H