Hi
I had a similar problem with VPN between IP40 and R55. The trouble was that ESP
packets outgoing from Check Point to Ip40 had a wrong SOURCE address. The
source address of outgoing packets had the ip address of a INTERNAL interface
and not the EXTERNAL as it should be normally....
Try to run tcpdump on the external interface and check ESP packets....
---------------------------------------------------------------
Salvatore Landolina
Spike Reply S.r.l.
Via Ripamonti, 89 20139 Milano
tel +39 02 53576.1 fax +39 02 53576.444
e-mail s.landolina AT reply DOT it
www.reply.it
---------------------------------------------------------------
________________________________
Da: Mailing list for discussion of Firewall-1 per conto di <Ross Stowers>
Inviato: mer 27/04/2005 13.45
A: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Oggetto: [FW-1] Nokia IP40 VPN site to site tunnel doesn't work
We're having an issue between a Nokia IP40 and our firewall. We're trying
to define the IP40 as a
VPN-1 edge device with a dynamic address for a site to site VPN. The
management station is
able to talk to the IP40 (downloads the certificate, downloads the
security policy, etc) but the VPN
tunnel won't come up. The only error I see in the logs is: "Failed to
establish VPN Tunnel with
gateway". Been talking to Nokia and they don't seem to be able to fix the
problem. They
recommend using SmartLSM which we'd have to buy. SmartLSM is overkill for
the small number of
gateways we plan to have but we can do that. Has anyone has trouble with
this? Any ideas about
what we can look at?
We have Checkpoint R55 HFA12 running on the Solaris management station and
the SPLAT
firewall box. We have upgraded the firmware in the Nokia to the latest
version. Also, we're using
traditional mode VPNs.
Thanks,
Ross
--------------------------------------------------------------------------------------------------
Ross J. Stowers
Continental Tire North America
Phone: 330-798-3979
Cell Phone: 330-327-8076
Fax: 330-798-3989
Email: ross.stowers AT conti-na DOT com
--------------------------------------------------------------------------------------------------
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
