I think it is our setup...see the rather crude ACSII drawing below.
Internet<--->Router(10.0.1.x)<---->Checkpoint Public Interface(10.0.1.x)eth1
|
|
|
|
| Checkpoint
DMZ(160.x.x.x)eth2
|
Checkpoint Private
(10.0.0.x)eth0
====
Mike x318
"I just know that I know nothing"
Socrates (469-399 B.C.)
-----Original Message-----
From: FWAdmin [mailto:FWAdmin AT WLW DOT DE]
Sent: Wednesday, April 28, 2004 12:18 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] AW: [FW-1] Site-to-site VPN error
Hi Mike,
try running 'vpn tunnelutil' on both firewalls and see if you have valid IKE
SA's and/or IPsec SA's. Try deleting them with this util. They should be
renewed as far as there is traffic for this tunnel. Try debugging vpn via 'vpn
debug [on|ikeon]' which logs to vpnd.elg/ike.elg. Remember to stop debugging
via 'vpn debug [off|ikeoff]' ;-) Have a close look on these logs, maybe you'll
find your problem in there.
By the way:
Which OS on what maschine is running? We had the same error when running R55 on
an Solaris 9 Multi-CPU Sun (which is not supported, what we found afterwards
:-( ).
Regards
Torsten Gödicke
-----Ursprüngliche Nachricht-----
Von: Mike Singleton [mailto:msingleton AT QUORUMREVIEW DOT COM]
Gesendet: Dienstag, 27. April 2004 22:35
An: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Betreff: [FW-1] Site-to-site VPN error
Any know how to further troubleshoot this, the IKE phase seems to go through,
then this error.
Number: 38800
Date: 27Apr2004
Time: 11:52:25
Product: VPN-1 & FireWall-1
Interface: eth2
Origin: firewall (xx.xxx.xxx.129)
Type: Log
Action: Drop
Service: smtp (25)
Source: mail2.domain.com (xxx.xxx.xxx.131)
Destination: other_site_firewall (xxx.xxx.xxx.103)
Protocol: tcp
Source Port: 65439
Information: encryption fail reason: Packet is dropped because there
is no valid SA - please refer to solution sk19423 in SecureKnowledge Database
for more information
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail =================================================
To unsubscribe from this mailing list,
please see the instructions at http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail =================================================
To unsubscribe from this mailing list,
please see the instructions at http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
