Checkpoint and PPTP

Checkpoint and PPTP issues

 

You must add a rule permitting access between your PPTP clients and server. PPTP uses two services:

  • TCP port 1723 for a control session
  •  A variation of the GRE protocol (IP Protocol 47) for data.

 

To create this last service, create the service as a service of type Other.

For the name, use PPTP-Data. In the match field, put: ip_p = 47, [22:2,b] =0x880B

(Note: ip_p = 47 identifies the IP protocol type as GRE. [22:2,b] = 0x880B identifies the payload protocol as GRE.)

 

The rules should look like this:

Source

Destination

Service

Action  

PPTPClients

 PPTP-Server

PPTP-Control  PPTP-Data

Accept

PPTP-Server

 PPTP-Clients

PPTP-Control  PPTP-Data

Accept

 

PPTP will work with Static NAT, but not HIDE NAT.

 

Checkpoint Solution ID: sk12234 - PPTP with Network Address Translation (NAT) support in FireWall-1

Last Modified:  19-Dec-2007

 

Issues : PPTP does not work properly with Hide NAT.

 

Cause: IP protocols that undergo Hide NAT.

 

Solution

There are supported and unsupported PPTP NAT configuration possibilities when deployed with VPN-1/FireWall-1. These configurations may very depending on the product version.

 

PPTP with Static NAT configurations:

In VPN-1/FireWall-1 NG, PPTP is supported with Static NAT, whether the PPTP server or PPTP client is behind the firewall.

 

PPTP with Hide NAT configurations:

  • PPTP Clients behind the VPN-1/FireWall-1 NAT device.
    In VPN-1/FireWall-1 4.1 this is supported with the restriction that only one client can connect to a specific server at a time.
    Note: This configuration is supported in NG AI R55 HFA_10 and above, excluding NG AI R55W.

 

  • PPTP Server behind the VPN-1/FireWall-1 Hide-NAT device.
    In this case, there is only one routable IP address used for both Hide NAT on an internal network and to accept incoming PPTP connections to an internal PPTP server (server mapping).
    Note: This configuration is not supported in either FireWall-1 4.1 or NG.

 

All fixes for the PPTP issues are incorporated to the VPN-1 Pro NGX R60.

To make them work, enable the PPTP enforcement in the SmartDefense (Application Intelligence -> VPN Protocols -> PPTP Enforcement).

 

Checkpoint Solution ID: sk31770 - Encrypted PPTP/GRE does not work with Hide NAT

Last Modified:14-Jan-2008   

 

Issues: PPTP connectivity fails when GRE tunnels are encrypted and being Hide NATed through a VPN-1 gateway.

 

Cause: VPN-1 PPTP enforcement and network address translation requires inspection of GRE packet header data, and does not support encrypted GRE tunnels that encrypt the GRE header payload.

 

Solution

If you want to use Hide NAT with the PPTP protocol in a GRE environment, you have two options:

 

  1. Make sure the GRE tunnel is unencrypted ("clear").
  2. Use Static NAT instead of hide NAT.

 

Note that the PPTP control connection must be clear text, and that PPTP enforcement in SmartDefense must be active for translation to take place in addition to the GRE header.

 

Checkpoint Solution ID: sk30139 - PPTP does not work with Hide NAT in R55W

Last Modified:  06-Dec-2006

 

Issues: PPTP does not work with Hide NAT in R55W

 

Solution

The fix for Hide NAT and PPTP is not included in R55W. Upgrade to NGX.