A question about Checkpoint firewall and Telnet over VPN

Hello

I have been trying different options to resolve an issue with a remote
site VPN tunnel. I have the tunnel up and working. I have tried using
IPSEC with low,medium and strict security profile.
Since I am using Shiva VPN devices, I have tried using their Shiva
Smart Tunnels too. They all work fine. I can perform all the normal
operations like file copy, establish VNC sessions and browse interent
too. The only problem is with the telnet session from that remote site
to another site which goes through my comapny LAN. The telnet session
works fine from the internal company LAN, but it doesnt work from that
remote site. It starts of well allowing the users to log in, but once
they log in, it freezes up.
Initially I assumed this was caused by the encryption, but later on
found out that its the checkpoint firewall on the company side that
casues this problem. I am sure about this because I tried a different
VPN connection via an ADSL connection that connected to the company LAN
without going throught firewall. It worked perfectly fine allowing the
telenet session.

Could anybody tell me what settings on checkpoint would resolve this
issue.

thanks
Ankit

Re: A question about Checkpoint firewall and Telnet over VPN

apsolar@gmail.com wrote:
> Hello
>
> I have been trying different options to resolve an issue with a remote
> site VPN tunnel. I have the tunnel up and working. I have tried using
> IPSEC with low,medium and strict security profile.
> Since I am using Shiva VPN devices, I have tried using their Shiva
> Smart Tunnels too. They all work fine. I can perform all the normal
> operations like file copy, establish VNC sessions and browse interent
> too. The only problem is with the telnet session from that remote site
> to another site which goes through my comapny LAN. The telnet session
> works fine from the internal company LAN, but it doesnt work from that
> remote site. It starts of well allowing the users to log in, but once
> they log in, it freezes up.
> Initially I assumed this was caused by the encryption, but later on
> found out that its the checkpoint firewall on the company side that
> casues this problem. I am sure about this because I tried a different
> VPN connection via an ADSL connection that connected to the company LAN
> without going throught firewall. It worked perfectly fine allowing the
> telenet session.
>
> Could anybody tell me what settings on checkpoint would resolve this
> issue.

This is probably not a checkpoint issue. I had the same problem using
telnet to connect to a UNIX machine. It is most likely a packet size issue.

You will need to lower the MTU on both ends of the connection. I had to
lower the MTU on both ends to 1390.

I discovered this was a problem when I would get to a prompt and try to
ls a directory with 100's of files. It would freeze after listing the
first 30 or so. Lowered the MTU on both ends and all was well.

moncho

Re: A question about Checkpoint firewall and Telnet over VPN

I tried lowering the mtu size but it didn't help. The other option
which i tested succefully was using a pix firewall at the remote end
and that had the default mtu size of 1500, but it still worked. I don't
think mtu is the problem, I have had a feedback from the remote site
users who say that the session does work sometimes and doesnt most of
the time.
Any other ideas.

thanks for ur suggestion moncho.

Re: A question about Checkpoint firewall and Telnet over VPN

apsolar@gmail.com wrote:
> Hello
>
> I have been trying different options to resolve an issue with a remote
> site VPN tunnel. I have the tunnel up and working. I have tried using
> IPSEC with low,medium and strict security profile.
> Since I am using Shiva VPN devices, I have tried using their Shiva
> Smart Tunnels too. They all work fine. I can perform all the normal
> operations like file copy, establish VNC sessions and browse interent
> too. The only problem is with the telnet session from that remote site
> to another site which goes through my comapny LAN. The telnet session
> works fine from the internal company LAN, but it doesnt work from that
> remote site. It starts of well allowing the users to log in, but once
> they log in, it freezes up.
> Initially I assumed this was caused by the encryption, but later on
> found out that its the checkpoint firewall on the company side that
> casues this problem. I am sure about this because I tried a different
> VPN connection via an ADSL connection that connected to the company LAN
> without going throught firewall. It worked perfectly fine allowing the
> telenet session.
>
> Could anybody tell me what settings on checkpoint would resolve this
> issue.
>
> thanks
> Ankit
>
Hard to say. You didn't mention what version Checkpoint it is. If you
were using Smart Defense or not. Is it telnet or SSH and if it is SSH
what version... 1, 2, or 3. Depending on the firewall and its config,
you can discriminate at that level. Any clues from the Log files. You
are logging drops at least as a diag tool I assume.