I have a VPN issue which is giving me a headache - and I've solved my share of VPN issues.
My customer requires vpn access to external contractors, using site to site VPN connections locked down to specific servers.
This all worked fine when they had a traditional internet connection plugged directly into their Watchguard. However this changed recently when they switched to an MPLS network with an internet breakout with managed firewall.
All relevant traffic is forwarded from the managed firewall to the Watchguard. And the external interface on the Watchguard now has an internal address assigned by the MPLS provider - 192.168.x.x/27
All external contractors VPN's are working bar one, and they are using a Checkpoint firewall.
Alternate contractors are using Watchguards or Drayteks and they are fine.
The connection appears to be made at both ends but there is no traffic flowing between the sites. The contractor says they can see traffic going out but the WG shows no received packets.
The contractors with Watchguards had to specify the authentication gateway as the Watchguard interface as the only change. There isn't this option on the Checkpoints.
A log snippet attached shows the errors when I ping out from the WG, to me it appears a endpoints are seeing each other but the actual 1st and 2nd modes are not actually occuring - which is weird as I would have thought this would have stopped the connection from even occuring?....
All phases of authentication have been triple checked....and the triple checked again
Before its is suggested, adding a separate external line is not an option to avoid the effective double NAT. If other VPN's are working then so can this one
All suggestions welcomed