Solved

VPN Brance office tunnel from a Watchguard firebox2 -> checkpoint

Posted on 2004-04-19
7
998 Views
Last Modified: 2013-11-16
Hi all

I have setup an watchguard firebox 2 on the main office and a checkpoint ng55 on a branceoffice, at the watchguard box i have configure the gateway and the tunnel in the bovpn manual ipsec settings.

The ipsec policys has been setup to route between the brance office networks /6 of them/ to my singel  internal network.

When i boot up the fireboxs it just stands there arguing about SA`s and cant connect to the checkpoint firewall and vice versa. whats wrong? what have i forgot to setup ?

Could anyone please help me asap?
0
Comment
Question by:Seh_it24
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
7 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10863411
Make sure the encryption networks / subnets, pre-shared keys and phase 1 and 2 timeouts match up at both ends.
0
 

Author Comment

by:Seh_it24
ID: 10863471
well, we have dobbel check this problem and build the tunnel up alot of times now, and finaly we have establish a tunnel going in one direction, that is the HQ can communicate with every hosts on the brance office, but the brance office is not abel to ping or get any kind of respons from the HQ it only get no respons from peer..

on the HQ there is an ANY service defined for the brance office permitting communication, anything we have missed ? nating maybe ? since we use an public adress on the FW and a private network on hq who the trafic is going to any clues?
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10869929
I would say there was either a routing or NAT problem.  You need rules in Watchguard and Check Point to ensure that traffic bound for a VPN connection is NOT Natted.
0
 

Author Comment

by:Seh_it24
ID: 10871287
On the watchguard box (hq) the nating rules saying 192.168.0.0/16 should be natted to the public
ip, so i quess since the network who is going to be routed true the tunnel is being nated since it`s a 192.168.78 subnet, whats the right soulution for this ?
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 55 total points
ID: 10876281
You need a NAT statement saying that anything from 192.168.0.0/16 destined for the Check Point's encryption network (for example 10.0.0.0/8) should NOT be NATted.
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question