I'm hoping someone can help me. I'm currently having issues trying to establish an outbound L2L VPN from a Cisco 3000 VPN Concentrator out to a 3rd Party who are using Checkpoint R65 using pre-chared keys.
The outbound connections leave the VPN concentrator, are routed via a CSS 11000 where the real external IP address of the VPN is NAT'd to a public internet address, then on via an external Internet facing Checkpoint running R70 and out to the internet.
We're seeing Phase 1 & 2 come up but nothing after that, certainly the session doesn't come up at UDP-4500 as expected. The session shows Packets Tx incrementing but no Packets RX.
There are 3 possible issues with this I can see but unfortunately I have no idea how to resolve or whether they're red herrings etc etc
1 - Looking on the firewall logs for the outbound traffic I see the initial IKE (UDP-500) packet traverse the firewall with a source of the NAT'd VPN address and a destination of the 3rd Party peer address as expected. Then I see drops on the firewalls from the real IP address of the VPN out to the 3rd Party peer address for esp protocol. The reason for these drops are because for some reason the CSS chooses not to NAT the real src of the VPN and the firewall is set up only for the NAT'd source and 3rd party peer and not the real source. Any ideas why the CSS chooses to NAT the first IKE packet with no issue and then not for the esp packet?
2 - To overcome the issue in point 1, I disabled the NAT on the CSS so that the real IPs were presented to the external firewall and carried out the NATs on there instead. Unfortunately I still experienced the same; Successful Phase 1 & 2, No UDP-4500 and only Packets TX none RX.
3 - Something else...
Software versions of the 3 devices are as follows;
VPN - Cisco Systems, Inc./VPN 3000 Concentrator Version 4.7.2.B Oct 04 2005 02:50:52
CSS - sg0750306s (07.50.3.06s)
Checkpoint - R70 on Nortel ASF
It's worth pointing out that we 99% of L2L builds on this device are working fine but I'm unsure as to what the 3rd Party devices are on these. With this being a 3rd Party connection, I can only vouch for my standard configurations and take the word of the 3rd Party but any advice or suggestions are more than welcome.
Thanks for reading,
I've seen some incompatibility issues between Cisco's NAT-T and other vendors implementations of NAT-T.
You see packets TX on your side but no RX. The third party device sees the RX packets that you're sending?
If they try to initiate the tunnel from their side, do then see packets TX and do you get those packets as RX?