Redirecting ESP packets

[ales]

Hi!

One of the users inside our internal network would like to connect via checkpoint VPN software to an outside network. As far as i know we should forward ESP packets to his internal host in our network. Is that possible with pf and openbsd?

[jggimi]

Any IP protocol may be used with PF packet filtering rules and redirection rules. The protocol may be specified by number or by name, as defined in /etc/protocols. This includes ESP, IP protocol 50.

The definitive ruleset is in the man page for pf.conf(5). Guidelines and some "How To" information may be obtained from the PF User's Guide, and additional information may also be garnered from Peter Hansteen's recent publication, The Book of PF, which has been getting excellent reviews, and you may also find Jacek Artymiak's Building Firewalls with OpenBSD and PF helpful.

[ohauer]

If the user use CheckPoint SecuRemote/SecureClient, it is easy to create the rules.

This passage is from the CheckPoint manual.

If a SecuRemote/SecureClients is located behind a non-Check Point firewall, the following ports must be opened on the firewall to allow SecuRemote/SecureClient traffic to pass:
Table 1-16 ports to open for non-Check Point firewalls port explanation

Code:

UDP port 500       | always, even if using IKE over TCP  
TCP port 500       | only if using IKE over TCP  
IP protocol 50 ESP | unless always using UDP encapsulation  
UDP port 2746      | configurable; only if using UDP encapsulation  
UDP port 259       | only if using MEP, interface resolving or interface High Availability

If you think this are to much, contact the Firewall Administrator at the CheckPoint side and ask if he supports Visitor Mode (HTTPS).