[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 587
  • Last Modified:

VPN Issue

Afternoon

I have a VPN issue which is giving me a headache - and I've solved my share of VPN issues.

My customer requires vpn access to external contractors, using site to site VPN connections locked down to specific servers.

This all worked fine when they had a traditional internet connection plugged directly into their Watchguard.  However this changed recently when they switched to an MPLS network with an internet breakout with managed firewall.

All relevant traffic is forwarded from the managed firewall to the Watchguard.  And the external interface on the Watchguard now has an internal address assigned by the MPLS provider - 192.168.x.x/27

All external contractors VPN's are working bar one, and they are using a Checkpoint firewall.

Alternate contractors are using Watchguards or Drayteks and they are fine.

The connection appears to be made at both ends but there is no traffic flowing between the sites.  The contractor says they can see traffic going out but the WG shows no received packets.

The contractors with Watchguards had to specify the authentication gateway as the Watchguard interface as the only change.  There isn't this option on the Checkpoints.

A log snippet attached shows the errors when I ping out from the WG, to me it appears a endpoints are seeing each other but the actual 1st and 2nd modes are not actually occuring - which is weird as I would have thought this would have stopped the connection from even occuring?....

All phases of authentication have been triple checked....and the triple checked again

Before its is suggested, adding a separate external line is not an option to avoid the effective double NAT.  If other VPN's are working then so can this one

All suggestions welcomed
Thanks
Firewall-Issue.bmp
0
DLeaver
Asked:
DLeaver
  • 2
  • 2
2 Solutions
 
John HurstBusiness Consultant (Owner)Commented:
I am not familiar with your gear (and details are important).  Two suggestions:

1. I see you are using main mode (fine). Try agressive mode to see if that makes a change. You can always revert right back.

2. See if you have a variable for NAT Traversal and enable NAT Traversal. I need that for some of my Cisco - Juniper site to site connections.


... Thinkpads_User
0
 
QlemoC++ DeveloperCommented:
Key messages are
   Sending fifth message
   ...
   Received inform notify: (Payload Malformed)
5th exchange of Phase 1 Main Mode is about IDs and hashes, and there seems to be a mismatch here. This points into the direction what other contractors had to change. Maybe you can find an option on the WatchGuard to provide its public IP as a Phase 1 Local ID? I don't know WGs enough to tell you where to find that.
0
 
DLeaverAuthor Commented:
Update - still not resolved at this point

Tried using aggressive mode previously with no change.

I am arranging a 1 to 1 NAT from our managed firewall to our WG to see if this overcomes the issue.
0
 
DLeaverAuthor Commented:
Thanks for the input

We have had to use an alternate method for now

However both valid suggestions which we hadn't considered

Thanks again
0
 
John HurstBusiness Consultant (Owner)Commented:
@DLeaver - Thank you and I was happy to help you with this.

.... Thinkpads_User
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now