We are having some strange issues with the combination of NGX R65 and our Edge
boxes.
We have deployed a new fresh install of R65 with and imported config from a R55
install. All our tunnels to other NG gateways are working as expected, but our
Edge boxes are causing a major headache.
We run or main HQ policy in traditional mode, and as such have not integrated
the most of Edge boxes with Smartcenter since they would normally rely on a
simple mode config and VPN communities. Although, some Edge boxes have been
connected to Smartcenter with the workaround to get VPN to work in traditional
mode (creating an external object with the same settings as the Edge box to use
with the VPN config on the traditional policy)
Once we got the new R65 box up and running, the VPN tunnels to the Edge boxes
have been behaving strangely. Tunnels from HQ to the Edge boxes worked fine,
but not the other way around. Errors showing up in the Smartcenter log are
"encryption failure: different hash methods".
I've now tried just about everything.
- Connected the Edge to the smartcenter both with a VPN and without the VPN
checkbox ticked for the given Edge object.
- Manual setup of VPN tunnels in both ends (this has always worked before)
- Using VPN communities with a workaround to on the HQ site to work with a
traditional policy.
- Different Edge firmware versions - from 4.5.x to 6.5.x
Problem still persists and with the same error: "different hash methods". I'm
out of ideas.
What is also strange is that when connecting from the Edge site to a host at
the HQ site, some IP's might work, while others will fail.
With a subnet of 22 bits, pinging x.x.x.2 won't work, but x.x.x.3 will.
Anyone else tried the combination of R65 and Edge boxes yet?
DISCLAIMER:
This message contains information that may be privileged or confidential and is
the property of the Roxar Group. It is intended only for the person to whom it
is addressed. If you are not the intended recipient, you are not authorised to
read, print, retain, copy, disseminate, distribute, or use this message or any
part thereof. If you receive this message in error, please notify the sender
immediately and delete all copies of this message.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
