11-27-2007 12:03 PM - edited 03-11-2019 04:35 AM
Hi there i have a problem with a site to site connection with a company we work with. The company works with a checkpoint ngx-1 R65 en we work with Pix. The thing is that we VPN comes up. I can ping host at the company side and traffic is flowing. The company cannot access us only when we start a ping from our side only after that they can access us. We also got some socket errors on one of our apps when connecting to them.
i have debug logs attached. One is when we are sending pings to them (debug ourside.txt). and on were they are sending pings to us (debug company ping.txt .
11-29-2007 11:12 AM
Tell the checkpoint TAC that they should be
running the latest HFA, like what I have below:
[Expert@NGx_R65-1-P]# fw ver
This is Check Point VPN-1(TM) & FireWall-1(R) NGX (R65) HFA_02, Hotfix 602 - Build 006
[Expert@NGx_R65-1-P]#
Furthermore, when I look at the ike.elg file, everything looks clean.
There is an issue with the tunnel 209.16.112.254 but for the tunnel
200.x.x.19, it looks really clean. Both phase I and phase II looks
really clean so the configuration on both the checkpoint side
and your side is correct. There is one thing I am not seeing in
the checkpoint debug file is the Perfect Forward Secrecy part. Can
you check with checkpoint tac if that is in place?
Last resort will be:
1) upgrade checkpoint to HFA_02. They are on HFA_0 now,
2) upgrade your pix 6.3(4) to 6.3(5),
Or if you like you can setup a VPN tunnel with me. I have
a checkpoint NGx R65 firewall but I am running HFA_02 instead
of HFA_00
11-29-2007 12:30 PM
kevin,
I can't test with you right now. my email address is gregory.tai-apin@bnets.sr Is my pix config alright here? i'm sending you a debug of mine right now. and a new of a test we just did.
i can upgrade my pix but upgrading on the checkpoint side is out of the question they say.
Thanks for the offer.
11-29-2007 12:50 PM
Your Pix configuration looks correct.
Are they running Checkpoint on SecurePlatform
or Nokia IP appliance? I remember running
into this issue about two years ago but that
was between my checkpoint NG AI firewall running
on Secureplatform and the other side is a
Cisco IOS router.
I look at the ike10.elg file and everything
looks good on the checkpoint side. Both
phase I and Phase II are properly exchanged.
11-29-2007 12:54 PM
Kevin,
I don't know yet which platform. i will ask them. But have you seen things in de debug 3.txt file? What can you make of it. I will upgrade to 6.3(5) look for the upgrade document online now. As soon as i find it i will upgrade.
11-29-2007 01:06 PM
do you have remote access VPN terminate on this
Pix firewall? your IPSec phase II looks
strange with 0.0.0.0/0
11-29-2007 01:27 PM
yes i have. But i deleted it now. Still i can't ping only one host at a time.
11-29-2007 03:07 PM
Kevin,
I have upgraded to 6.3(5) still no progress. Thanks for all your efforts i'm in the dark here.
11-30-2007 07:36 AM
Kevin,
When i remove the static inbound rule on the router i am able to ping all hosts simultaneously. But then again the company can only reach me when i start a ping first. I will still have problems with the renegotiation.
Any thoughts on this?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide