• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1056
  • Last Modified:

VPN Brance office tunnel from a Watchguard firebox2 -> checkpoint

Hi all

I have setup an watchguard firebox 2 on the main office and a checkpoint ng55 on a branceoffice, at the watchguard box i have configure the gateway and the tunnel in the bovpn manual ipsec settings.

The ipsec policys has been setup to route between the brance office networks /6 of them/ to my singel  internal network.

When i boot up the fireboxs it just stands there arguing about SA`s and cant connect to the checkpoint firewall and vice versa. whats wrong? what have i forgot to setup ?

Could anyone please help me asap?
0
Seh_it24
Asked:
Seh_it24
  • 3
  • 2
1 Solution
 
Tim HolmanCommented:
Make sure the encryption networks / subnets, pre-shared keys and phase 1 and 2 timeouts match up at both ends.
0
 
Seh_it24Author Commented:
well, we have dobbel check this problem and build the tunnel up alot of times now, and finaly we have establish a tunnel going in one direction, that is the HQ can communicate with every hosts on the brance office, but the brance office is not abel to ping or get any kind of respons from the HQ it only get no respons from peer..

on the HQ there is an ANY service defined for the brance office permitting communication, anything we have missed ? nating maybe ? since we use an public adress on the FW and a private network on hq who the trafic is going to any clues?
0
 
Tim HolmanCommented:
I would say there was either a routing or NAT problem.  You need rules in Watchguard and Check Point to ensure that traffic bound for a VPN connection is NOT Natted.
0
 
Seh_it24Author Commented:
On the watchguard box (hq) the nating rules saying 192.168.0.0/16 should be natted to the public
ip, so i quess since the network who is going to be routed true the tunnel is being nated since it`s a 192.168.78 subnet, whats the right soulution for this ?
0
 
Tim HolmanCommented:
You need a NAT statement saying that anything from 192.168.0.0/16 destined for the Check Point's encryption network (for example 10.0.0.0/8) should NOT be NATted.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now