ADSL and Checkpoint SecuRemote and ADSL providers

douglasman

We are looking into an ADSL solution to connect one location with another over the internet using CheckPoint Securemote VPN solution. There are multiple machines in each location. Checkpoint Securemote does not work with NAT, each individual machine must have a real internet IP address. Has anyone any experience with either EircomNet or EsatBT and allocating additional IP addresses for clients, do they charge extra for these or do they offer this at all with ADSL ?

longword

I believe ESAT give one static IP address with their current business services (512k and up). VIA also offers a fixed address. Eircom give dynamic addresses with I-Stream Solo and Multi (up to four dynamic addresses with that). I-Stream enhanced starts out with a dynamic address, but Eircom will give you for free as many static IP addresses as you can justify to RIPE. All of the providers give you public IP addresses - there's no NATing involved.

Gavin

Originally posted by douglasman
We are looking into an ADSL solution to connect one location with another over the internet using CheckPoint Securemote VPN solution. There are multiple machines in each location. Checkpoint Securemote does not work with NAT, each individual machine must have a real internet IP address. Has anyone any experience with either EircomNet or EsatBT and allocating additional IP addresses for clients, do they charge extra for these or do they offer this at all with ADSL ?

There's no need for NAT. You can create a tunnel between the two machines. The machine will each have a public ip and also a private 'tunnel' ip. Machines on the LAN can use the tunnel's ip range to talk with each other. I've used this sort of setup with a cisco, albeit unencrypted, but that won't make a difference.

So the only public ip's you need will be for the two gateway machines.. and seeing as they are on the internet already, they will have em.

Gav

arlbb

Verb, I'm trying to understand... I've been trying to figure this out for myself recently but I don't know much about it yet.

There's no need for NAT. You can create a tunnel between the two machines. The machine will each have a public ip and also a private 'tunnel' ip. Machines on the LAN can use the tunnel's ip range to talk with each other.

This is my take on it so far:
If using ADSL with a LAN, presumably there is a router in each location with a public dynamic or static IP. NAT is being used for the internal network computers to share the connection via the router.
Some routers can cope with VPN pass-thru while NAT is being used, some can't. I'm referring to IPSec VPN with an IPSec client software.
Other VPNs will be using Windows PPTP or L2TP/IPSec. Again some routers can cope with this even with NAT enabled.

I think the original point of the thread was... how to continue using the IPSec client when limited to one public static IP address which is being used by the router. Having only one public IP address means that NAT is necessary to share the connection. But the router being used obviously doesn't cope with NAT + IPSec.
If its possible to get extra public IP addresses, should the router be configured to allow a DMZ for specific machines and forward traffic for specific public IP addresses to those machines?
But what if all computers on the LAN are supposed to be participating in the VPN?

I'd love to be corrected in my ignorance.

Ardmore

If you're trying to connect from a single Desktop on a NATed LAN to a remote VPN server using VPN client software on the Desktop, then NAT may cause a problem, depending on whether your VPN software and your router can handle it.

If you're trying to connect two sites with a "VPN tunnel" (router to router), then NAT shouldn't be an issue, because the two endpoints of the VPN will be at the public, un-NATed addresses of the routers. The VPN will be transparent to the dekstops at each site, and you don't need to install client software on each desktop.

It sounds from your description that you want a router-to-router solution, but you're going down the desktop to VPN "gateway" route.

spongebob

Secu-Remote is a client to Firewall VPN

Typically the firewall is immediately inside the router so you will need 2 fixed IP's ......one for the Router and one for the firewall (ya cannot licence Checkpoint firewall 1 without a fixed IP)

the client machine that 'dials' in over secu-remote can be anywhere and can create a VPN on the fly