Hello There,
My question is quite straight forward but may need some nitty gritty.
My checkpoint FW in on a Nokia box having NGAI HFA-4. I've created 2 VPN
communities here,
one for remote access and the other for a site-to-site VPN with a Cisco VPN
concentrator.
I am trying to access the servers behind the site-to-site VPN from a remote
access vpn client.
Everytime I try to do this I get a log recorded on the Smartviewer saying the
following.
Encryption fail reason: packet is dropped bcos there is no valid SA. Please
refer to sk19423.
I also see logs, the firewall trying to establish phase 2 of the VPN with
0.0.0.0/0.0.0.0 as the source IP.
And I also managed to make the objective working, when I set 0.0.0.0/0.0.0.0 on
the Cisco config
as the checkpoint side network. (this had conflicts with other tunnels on the
concentrator)
PLease note that I don't have any secureclient licenses but using a
secureclient software without
Policy server login.
Also both the Communities work independently fine.
I would like to mention a few more points which would be of some interest.
I was expecting my secureremote client to be aware of other vpn communities and
topologies,
hence expected traffic destined to the servers residing on the other end of the
site-to-site VPN
to automatically pass down the vpn session. Since this was not happening I had
to configure "Hub mode"
on the client which will pass all the traffic down the vpn session.
I also enabled a IP NAT Pool to see if this be of any help, but nothing changed.
Any help would be highly appreciated,
Regards
Admin
****************************************************************************************
Disclaimer: The information contained in this message is for the intended
addressee only and may contain confidential and/or privileged information. If
you are not the intended addressee, please delete this message and notify the
sender; do not copy or distribute this message or disclose its contents to
anyone. Any views or opinions expressed in this message are those of the author
and do not necessarily represent those of Arabian Network Information Services
or of any of its associated companies. No reliance may be placed on this
message without written confirmation from an authorised representative of the
company.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
