cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8557
Views
0
Helpful
22
Replies

problems with site to site VPN

greg-bnets
Level 1
Level 1

Hi there i have a problem with a site to site connection with a company we work with. The company works with a checkpoint ngx-1 R65 en we work with Pix. The thing is that we VPN comes up. I can ping host at the company side and traffic is flowing. The company cannot access us only when we start a ping from our side only after that they can access us. We also got some socket errors on one of our apps when connecting to them.

i have debug logs attached. One is when we are sending pings to them (debug ourside.txt). and on were they are sending pings to us (debug company ping.txt .

22 Replies 22

Tell the checkpoint TAC that they should be

running the latest HFA, like what I have below:

[Expert@NGx_R65-1-P]# fw ver

This is Check Point VPN-1(TM) & FireWall-1(R) NGX (R65) HFA_02, Hotfix 602 - Build 006

[Expert@NGx_R65-1-P]#

Furthermore, when I look at the ike.elg file, everything looks clean.

There is an issue with the tunnel 209.16.112.254 but for the tunnel

200.x.x.19, it looks really clean. Both phase I and phase II looks

really clean so the configuration on both the checkpoint side

and your side is correct. There is one thing I am not seeing in

the checkpoint debug file is the Perfect Forward Secrecy part. Can

you check with checkpoint tac if that is in place?

Last resort will be:

1) upgrade checkpoint to HFA_02. They are on HFA_0 now,

2) upgrade your pix 6.3(4) to 6.3(5),

Or if you like you can setup a VPN tunnel with me. I have

a checkpoint NGx R65 firewall but I am running HFA_02 instead

of HFA_00

kevin,

I can't test with you right now. my email address is gregory.tai-apin@bnets.sr Is my pix config alright here? i'm sending you a debug of mine right now. and a new of a test we just did.

i can upgrade my pix but upgrading on the checkpoint side is out of the question they say.

Thanks for the offer.

Your Pix configuration looks correct.

Are they running Checkpoint on SecurePlatform

or Nokia IP appliance? I remember running

into this issue about two years ago but that

was between my checkpoint NG AI firewall running

on Secureplatform and the other side is a

Cisco IOS router.

I look at the ike10.elg file and everything

looks good on the checkpoint side. Both

phase I and Phase II are properly exchanged.

Kevin,

I don't know yet which platform. i will ask them. But have you seen things in de debug 3.txt file? What can you make of it. I will upgrade to 6.3(5) look for the upgrade document online now. As soon as i find it i will upgrade.

do you have remote access VPN terminate on this

Pix firewall? your IPSec phase II looks

strange with 0.0.0.0/0

yes i have. But i deleted it now. Still i can't ping only one host at a time.

Kevin,

I have upgraded to 6.3(5) still no progress. Thanks for all your efforts i'm in the dark here.

Kevin,

When i remove the static inbound rule on the router i am able to ping all hosts simultaneously. But then again the company can only reach me when i start a ping first. I will still have problems with the renegotiation.

Any thoughts on this?

Review Cisco Networking for a $25 gift card