https://community.checkpoint.com/t5/Spark-Firewall-SMB/Checkpoint-R600-appliance-L2TP-pass-through/m-p/3689#M32 <HTML><HEAD></HEAD><BODY><P>You don't create NAT rules in Expert mode, but you can create them through the CLI.</P><P>It wouldn't operate any differently than doing it through the WebUI.</P><P>In any case,&nbsp;"any" is equivalent to 0.0.0.0/0, or you might have to create a range object to cover 0.0.0.1-255.255.255.255.&nbsp;</P></BODY></HTML> Thu, 22 Jun 2017 17:34:48 GMT PhoneBoy 2017-06-22T17:34:48Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Checkpoint-R600-appliance-L2TP-pass-through/m-p/3678#M21 <HTML><HEAD></HEAD><BODY><P>I am using a Checkpoint R600 appliance and wish to override the built in handling of l2tp traffic and forward to an internal vpn server. Has &nbsp;anyone done this ? I've set up forwarding rules but they are overridden by the internal services for IKE and IKE traversal.</P><P>Thanks for any advice, Carl</P></BODY></HTML> Tue, 20 Jun 2017 15:25:25 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Checkpoint-R600-appliance-L2TP-pass-through/m-p/3678#M21 Carl_Stainton 2017-06-20T15:25:25Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Checkpoint-R600-appliance-L2TP-pass-through/m-p/3679#M22 <HTML><HEAD></HEAD><BODY><P>Actually, the 600 has an L2TP endpoint on it your clients can connect to--see <SPAN style="color: #000000; background-color: #ffffff; font-size: 14px;">sk101466.</SPAN></P><P><SPAN style="color: #000000; background-color: #ffffff; font-size: 14px;">Make sure the relevant options are disabled.</SPAN></P></BODY></HTML> Tue, 20 Jun 2017 21:38:52 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Checkpoint-R600-appliance-L2TP-pass-through/m-p/3679#M22 PhoneBoy 2017-06-20T21:38:52Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Checkpoint-R600-appliance-L2TP-pass-through/m-p/3680#M23 <HTML><HEAD></HEAD><BODY><P>Thanks Dameon, but we want to do pass through as the Active Directory authentication doesn’t work with our OpenLDAP (though it does work on the internal destination).</P></BODY></HTML> Tue, 20 Jun 2017 21:44:25 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Checkpoint-R600-appliance-L2TP-pass-through/m-p/3680#M23 Carl_Stainton 2017-06-20T21:44:25Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Checkpoint-R600-appliance-L2TP-pass-through/m-p/3681#M24 <HTML><HEAD></HEAD><BODY><P>Understood.</P><P>What I'm saying is if these options are enabled, it definitely won't work <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://community.checkpoint.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P></P><P>How are you attempting to configure L2TP passthrough?</P><P>Can you post screenshots of the rules you're attempting to use?</P></BODY></HTML> Tue, 20 Jun 2017 21:55:31 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Checkpoint-R600-appliance-L2TP-pass-through/m-p/3681#M24 PhoneBoy 2017-06-20T21:55:31Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Checkpoint-R600-appliance-L2TP-pass-through/m-p/3682#M25 <HTML><HEAD></HEAD><BODY><P>I can't screenshot at the moment as not in work. The remote access vpn is disabled at the admin interface, and just to be doubly sure, I've ran "vpn drv off" from clish.</P><P></P><P>The passthrough is attempted via an access policy forwarding udp ports 500,1701 and 4500 on to the internal destination.</P></BODY></HTML> Tue, 20 Jun 2017 22:01:16 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Checkpoint-R600-appliance-L2TP-pass-through/m-p/3682#M25 Carl_Stainton 2017-06-20T22:01:16Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Checkpoint-R600-appliance-L2TP-pass-through/m-p/3683#M26 <HTML><HEAD></HEAD><BODY><P>Understood.</P><P>I will have to check with someone in R&amp;D to see if this is possible or not.</P></BODY></HTML> Tue, 20 Jun 2017 22:05:53 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Checkpoint-R600-appliance-L2TP-pass-through/m-p/3683#M26 PhoneBoy 2017-06-20T22:05:53Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Checkpoint-R600-appliance-L2TP-pass-through/m-p/3684#M27 <HTML><HEAD></HEAD><BODY><P>I should also add the logs show that when attempting a connection in this scenario, I get entries referencing the VPN and also IKE and IKE traversal rather than any forwarding going on.</P></BODY></HTML> Tue, 20 Jun 2017 22:07:25 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Checkpoint-R600-appliance-L2TP-pass-through/m-p/3684#M27 Carl_Stainton 2017-06-20T22:07:25Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Checkpoint-R600-appliance-L2TP-pass-through/m-p/3685#M28 <HTML><HEAD></HEAD><BODY><P>Thanks - if the passthrough is not possible, I would be also be content to use the UTM VPN endpoint if we could link to the users and groups we've already defined under our ldap server, though sadly it seems just Active Directory is supported.</P></BODY></HTML> Tue, 20 Jun 2017 22:12:44 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Checkpoint-R600-appliance-L2TP-pass-through/m-p/3685#M28 Carl_Stainton 2017-06-20T22:12:44Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Checkpoint-R600-appliance-L2TP-pass-through/m-p/3686#M29 <HTML><HEAD></HEAD><BODY><P>To disable the implied rules around L2TP,&nbsp;a code change may be required.</P><P>Please open a support ticket, who will&nbsp;be able to investigate with R&amp;D.</P><P>Also possible support may be able to assist in getting the 600 to talk to a generic LDAP server instead of Active Directory.</P></BODY></HTML> Wed, 21 Jun 2017 13:25:35 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Checkpoint-R600-appliance-L2TP-pass-through/m-p/3686#M29 PhoneBoy 2017-06-21T13:25:35Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Checkpoint-R600-appliance-L2TP-pass-through/m-p/3687#M30 <HTML><HEAD></HEAD><BODY><P>Thanks Dameon, I appear to have to get support through the reseller which is particularly onerous. I tinkered with the possibility of using the routers own endpoint and maintaining a temporary user database for those in need, but even the default office mode routing seems screwy. I suppose some additional configuration is required there. Naively I thought routing everything in the office mode default 172.16.10.0.x via the gateway at 172.16.0.1 would work but no DNS was supplied to my test client and even reaching LAN resources by ip was not possible.</P></BODY></HTML> Thu, 22 Jun 2017 10:21:40 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Checkpoint-R600-appliance-L2TP-pass-through/m-p/3687#M30 Carl_Stainton 2017-06-22T10:21:40Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Checkpoint-R600-appliance-L2TP-pass-through/m-p/3688#M31 <HTML><HEAD></HEAD><BODY><P>Hi Dameon,</P><P></P><P>Further bit of info, some of the IPSEC IKE stuff <STRONG>is</STRONG> making it to the internal endpoint, it is the L2TP connection that fails. Reading up on some similar cases with other equipment they have to add a nat-network entry of the form 0.0.0.0/0</P><P></P><P>Now I just need to know where to add this in expert mode I think.</P></BODY></HTML> Thu, 22 Jun 2017 11:55:52 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Checkpoint-R600-appliance-L2TP-pass-through/m-p/3688#M31 Carl_Stainton 2017-06-22T11:55:52Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Checkpoint-R600-appliance-L2TP-pass-through/m-p/3689#M32 <HTML><HEAD></HEAD><BODY><P>You don't create NAT rules in Expert mode, but you can create them through the CLI.</P><P>It wouldn't operate any differently than doing it through the WebUI.</P><P>In any case,&nbsp;"any" is equivalent to 0.0.0.0/0, or you might have to create a range object to cover 0.0.0.1-255.255.255.255.&nbsp;</P></BODY></HTML> Thu, 22 Jun 2017 17:34:48 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Checkpoint-R600-appliance-L2TP-pass-through/m-p/3689#M32 PhoneBoy 2017-06-22T17:34:48Z