Solved

VPN Brance office tunnel from a Watchguard firebox2 -> checkpoint

Posted on 2004-04-19
7
957 Views
Last Modified: 2013-11-16
Hi all

I have setup an watchguard firebox 2 on the main office and a checkpoint ng55 on a branceoffice, at the watchguard box i have configure the gateway and the tunnel in the bovpn manual ipsec settings.

The ipsec policys has been setup to route between the brance office networks /6 of them/ to my singel  internal network.

When i boot up the fireboxs it just stands there arguing about SA`s and cant connect to the checkpoint firewall and vice versa. whats wrong? what have i forgot to setup ?

Could anyone please help me asap?
0
Comment
Question by:Seh_it24
  • 3
  • 2
7 Comments
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
Make sure the encryption networks / subnets, pre-shared keys and phase 1 and 2 timeouts match up at both ends.
0
 

Author Comment

by:Seh_it24
Comment Utility
well, we have dobbel check this problem and build the tunnel up alot of times now, and finaly we have establish a tunnel going in one direction, that is the HQ can communicate with every hosts on the brance office, but the brance office is not abel to ping or get any kind of respons from the HQ it only get no respons from peer..

on the HQ there is an ANY service defined for the brance office permitting communication, anything we have missed ? nating maybe ? since we use an public adress on the FW and a private network on hq who the trafic is going to any clues?
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
I would say there was either a routing or NAT problem.  You need rules in Watchguard and Check Point to ensure that traffic bound for a VPN connection is NOT Natted.
0
 

Author Comment

by:Seh_it24
Comment Utility
On the watchguard box (hq) the nating rules saying 192.168.0.0/16 should be natted to the public
ip, so i quess since the network who is going to be routed true the tunnel is being nated since it`s a 192.168.78 subnet, whats the right soulution for this ?
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 55 total points
Comment Utility
You need a NAT statement saying that anything from 192.168.0.0/16 destined for the Check Point's encryption network (for example 10.0.0.0/8) should NOT be NATted.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Sbs2011 has been hacked. Foreign users in AD 7 113
iptables nat port range centos 6.x 21 88
Static IP 5 76
DDOS against DYN 9 81
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now