Solved

VPN Issue

Posted on 2013-02-02
5
568 Views
Last Modified: 2013-03-01
Afternoon

I have a VPN issue which is giving me a headache - and I've solved my share of VPN issues.

My customer requires vpn access to external contractors, using site to site VPN connections locked down to specific servers.

This all worked fine when they had a traditional internet connection plugged directly into their Watchguard.  However this changed recently when they switched to an MPLS network with an internet breakout with managed firewall.

All relevant traffic is forwarded from the managed firewall to the Watchguard.  And the external interface on the Watchguard now has an internal address assigned by the MPLS provider - 192.168.x.x/27

All external contractors VPN's are working bar one, and they are using a Checkpoint firewall.

Alternate contractors are using Watchguards or Drayteks and they are fine.

The connection appears to be made at both ends but there is no traffic flowing between the sites.  The contractor says they can see traffic going out but the WG shows no received packets.

The contractors with Watchguards had to specify the authentication gateway as the Watchguard interface as the only change.  There isn't this option on the Checkpoints.

A log snippet attached shows the errors when I ping out from the WG, to me it appears a endpoints are seeing each other but the actual 1st and 2nd modes are not actually occuring - which is weird as I would have thought this would have stopped the connection from even occuring?....

All phases of authentication have been triple checked....and the triple checked again

Before its is suggested, adding a separate external line is not an option to avoid the effective double NAT.  If other VPN's are working then so can this one

All suggestions welcomed
Thanks
Firewall-Issue.bmp
0
Comment
Question by:DLeaver
  • 2
  • 2
5 Comments
 
LVL 92

Accepted Solution

by:
John Hurst earned 250 total points
ID: 38846766
I am not familiar with your gear (and details are important).  Two suggestions:

1. I see you are using main mode (fine). Try agressive mode to see if that makes a change. You can always revert right back.

2. See if you have a variable for NAT Traversal and enable NAT Traversal. I need that for some of my Cisco - Juniper site to site connections.


... Thinkpads_User
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 250 total points
ID: 38847604
Key messages are
   Sending fifth message
   ...
   Received inform notify: (Payload Malformed)
5th exchange of Phase 1 Main Mode is about IDs and hashes, and there seems to be a mismatch here. This points into the direction what other contractors had to change. Maybe you can find an option on the WatchGuard to provide its public IP as a Phase 1 Local ID? I don't know WGs enough to tell you where to find that.
0
 
LVL 12

Author Comment

by:DLeaver
ID: 38880990
Update - still not resolved at this point

Tried using aggressive mode previously with no change.

I am arranging a 1 to 1 NAT from our managed firewall to our WG to see if this overcomes the issue.
0
 
LVL 12

Author Closing Comment

by:DLeaver
ID: 38943299
Thanks for the input

We have had to use an alternate method for now

However both valid suggestions which we hadn't considered

Thanks again
0
 
LVL 92

Expert Comment

by:John Hurst
ID: 38943308
@DLeaver - Thank you and I was happy to help you with this.

.... Thinkpads_User
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

So, you're experiencing issues on your network and you've decided that you need to perform some tests to determine whether your cabling is good.  You're likely thinking that you may need to spend money which you probably don't have on hiring/purchas…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now