[FW-1] vpn1 encription problem

[Schiavetta, Massimo [Permanent Link]]

Hi all

i'm experiencing a strange problem with a vpn on NG3:

i want to let go thru the tunnel 2 machines, one on the inside-net of the
fw, the other reaching the fw-inside thru a couple of router
i got the corrects routes, added the 2nd machine to the fw topology, but
only the one on the fw-inside goes thru the tunnel

here's the log for the correct one (masked some ip):
Number:                         212913
Date:                           26Jul2004
Time:                           14:30:48
Product:                        VPN-1 & FireWall-1
Interface:                      sbif5
Origin:                         mazinga (10.128.145.3)
Type:                           Log
Action:                         Encrypt
Protocol:                       tcp
Service:                        http (80)
Source:                         n02app05 (172.16.xxx.xxx)
Destination:                    partner_public (192.168.xxx.xxx)
Rule:                           4
Source Port:                    3920
Destination Key ID:     0xfa73d2e0
Encryption Scheme:      IKE
VPN Peer Gateway:       partner_public (xxx.xxx.xxx.xxx)
Encryption Methods:     ESP: 3DES + SHA1

instead here's the log for the NON-working machine, same protocol:
Number:                         213484
Date:                           26Jul2004
Time:                           14:32:06
Product:                        VPN-1 & FireWall-1
Interface:                      sbif5
Origin:                         mazinga (10.128.145.3)
Type:                           Log
Action:                         Drop
Protocol:                       tcp
Service:                        http (80)
Source:                         tit-it-msc2j (10.117.xxx.xxx)
Destination:                    partner_public (192.168.xxx.xxx)
Rule:                           4
Source Port:                    2349
Encryption Scheme:      NA
Information:                    encryption failure: Received a cleartext
packet
within an encrypted connection


it seems that vpn1 refuses to encrypt the traffic

any idea?
any suggestion will be very appreciated

cheers
max

Il Gruppo Direct Line è di proprietà del Gruppo Royal Bank of Scotland, il
secondo gruppo bancario in Europa e il quinto al mondo. Oggi il Gruppo
Direct Line conta più di 5 milioni di clienti auto, più di 10 milioni di
polizze nel Regno Unito e in Giappone e oltre 10.000 dipendenti.
Nota per il famoso marchio con il telefono rosso, Direct Line è stata il
pioniere nella vendita diretta di polizze assicurative nel Regno Unito.
Direct Line è operativa in Italia dal gennaio 2002.

This e-mail is intended for the addressee only and may contain confidential,
proprietary or legally privileged information. If you are not the intended
recipient of this e-mail, you should notify us immediately and delete it.
You should not copy, print, distribute, disclose or use any part of it. We
reserve the right to monitor and record all electronic communications
through our networks. We cannot accept any liability for viruses transmitted
via this e-mail once it has left our networks.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================