- PING to VPN Gateway works fine
- VPN Client is started and Gateway asks for user name etc and confirms successful connection
- PING to VPN Gateway (and any other host behind the gateway) is not replied anymore
When I remove the router and connect PC directly to DSL modem (PPPoE) all works fine.
What can be done to persuade the router to work with VPN?
There are a couple of potential issues that you might check here.
First, your router is probably NATing addresses so that when you connect through it, your VPN client has a private IP address, not a publicly routable IP address. This would explain the difference between being directly connected to the DSL modem (where the PC has a public IP address) and being indirectly connected through the router (where it doesn't.) In order to solve this, it's important that the VPN client and gateway both support NAT traversal (a process where IPSec packets are encapsulated inside UDP packets to get through NAT firewalls and routers.) I believe that newer versions of Check Point do this.
If you've already done this, the next thing is to make sure your router is supporting the NAT-traversal packets. To do this, you need to open UDP port 551 - the UDP port for encapsulated IPSec traffic.
Second, if all this configured properly (i.e., you have NAT traversal enabled and you have the right ports open on your router,) it may be that the client itself is not routing the traffic correctly. If the client isn't configured properly and it has a local private address, it will pass the VPN traffic directly to the local network and not through the tunnel. The local network and gateway router won't know what to do with the traffic and the pings fail. So the client tunnel configuration must associate the private addresses behind the VPN gateway (on the other side of the connection) with the VPN tunnel.
One more thing, the client SHOULD NOT associate the public address of the VPN server with the tunnel. When you ping the public address of the VPN gateway (the Check Point firewall at the other end of the connection), that ping should not go through the tunnel, it should go outside the tunnel- even when the tunnel is up. It may be that you have your configuration has this inverted and private traffic is being dumped onto the local network and the publicly routable gateway address is being routed through the tunnel in which case, neither ping will work.
Hope this helps,
This was first published in August 2002