Re: problems with site to site VPN - Page 2

greg-bnets · ‎11-27-2007

Hi there i have a problem with a site to site connection with a company we work with. The company works with a checkpoint ngx-1 R65 en we work with Pix. The thing is that we VPN comes up. I can ping host at the company side and traffic is flowing. The company cannot access us only when we start a ping from our side only after that they can access us. We also got some socket errors on one of our apps when connecting to them.

i have debug logs attached. One is when we are sending pings to them (debug ourside.txt). and on were they are sending pings to us (debug company ping.txt .

kevin.jones1 · ‎11-29-2007

Tell the checkpoint TAC that they should be

running the latest HFA, like what I have below:

[Expert@NGx_R65-1-P]# fw ver

This is Check Point VPN-1(TM) & FireWall-1(R) NGX (R65) HFA_02, Hotfix 602 - Build 006

[Expert@NGx_R65-1-P]#

Furthermore, when I look at the ike.elg file, everything looks clean.

There is an issue with the tunnel 209.16.112.254 but for the tunnel

200.x.x.19, it looks really clean. Both phase I and phase II looks

really clean so the configuration on both the checkpoint side

and your side is correct. There is one thing I am not seeing in

the checkpoint debug file is the Perfect Forward Secrecy part. Can

you check with checkpoint tac if that is in place?

Last resort will be:

1) upgrade checkpoint to HFA_02. They are on HFA_0 now,

2) upgrade your pix 6.3(4) to 6.3(5),

Or if you like you can setup a VPN tunnel with me. I have

a checkpoint NGx R65 firewall but I am running HFA_02 instead

of HFA_00

greg-bnets · ‎11-29-2007

kevin,

I can't test with you right now. my email address is gregory.tai-apin@bnets.sr Is my pix config alright here? i'm sending you a debug of mine right now. and a new of a test we just did.

i can upgrade my pix but upgrading on the checkpoint side is out of the question they say.

Thanks for the offer.

kevin.jones1 · ‎11-29-2007

Your Pix configuration looks correct.

Are they running Checkpoint on SecurePlatform

or Nokia IP appliance? I remember running

into this issue about two years ago but that

was between my checkpoint NG AI firewall running

on Secureplatform and the other side is a

Cisco IOS router.

I look at the ike10.elg file and everything

looks good on the checkpoint side. Both

phase I and Phase II are properly exchanged.

greg-bnets · ‎11-29-2007

Kevin,

I don't know yet which platform. i will ask them. But have you seen things in de debug 3.txt file? What can you make of it. I will upgrade to 6.3(5) look for the upgrade document online now. As soon as i find it i will upgrade.

kevin.jones1 · ‎11-29-2007

do you have remote access VPN terminate on this

Pix firewall? your IPSec phase II looks

strange with 0.0.0.0/0

greg-bnets · ‎11-29-2007

yes i have. But i deleted it now. Still i can't ping only one host at a time.

greg-bnets · ‎11-29-2007

Kevin,

I have upgraded to 6.3(5) still no progress. Thanks for all your efforts i'm in the dark here.

greg-bnets · ‎11-30-2007

Kevin,

When i remove the static inbound rule on the router i am able to ping all hosts simultaneously. But then again the company can only reach me when i start a ping first. I will still have problems with the renegotiation.

Any thoughts on this?