?
Solved

VPN Issue

Posted on 2013-02-02
5
Medium Priority
?
580 Views
Last Modified: 2013-03-01
Afternoon

I have a VPN issue which is giving me a headache - and I've solved my share of VPN issues.

My customer requires vpn access to external contractors, using site to site VPN connections locked down to specific servers.

This all worked fine when they had a traditional internet connection plugged directly into their Watchguard.  However this changed recently when they switched to an MPLS network with an internet breakout with managed firewall.

All relevant traffic is forwarded from the managed firewall to the Watchguard.  And the external interface on the Watchguard now has an internal address assigned by the MPLS provider - 192.168.x.x/27

All external contractors VPN's are working bar one, and they are using a Checkpoint firewall.

Alternate contractors are using Watchguards or Drayteks and they are fine.

The connection appears to be made at both ends but there is no traffic flowing between the sites.  The contractor says they can see traffic going out but the WG shows no received packets.

The contractors with Watchguards had to specify the authentication gateway as the Watchguard interface as the only change.  There isn't this option on the Checkpoints.

A log snippet attached shows the errors when I ping out from the WG, to me it appears a endpoints are seeing each other but the actual 1st and 2nd modes are not actually occuring - which is weird as I would have thought this would have stopped the connection from even occuring?....

All phases of authentication have been triple checked....and the triple checked again

Before its is suggested, adding a separate external line is not an option to avoid the effective double NAT.  If other VPN's are working then so can this one

All suggestions welcomed
Thanks
Firewall-Issue.bmp
0
Comment
Question by:DLeaver
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 97

Accepted Solution

by:
Experienced Member earned 750 total points
ID: 38846766
I am not familiar with your gear (and details are important).  Two suggestions:

1. I see you are using main mode (fine). Try agressive mode to see if that makes a change. You can always revert right back.

2. See if you have a variable for NAT Traversal and enable NAT Traversal. I need that for some of my Cisco - Juniper site to site connections.


... Thinkpads_User
0
 
LVL 70

Assisted Solution

by:Qlemo
Qlemo earned 750 total points
ID: 38847604
Key messages are
   Sending fifth message
   ...
   Received inform notify: (Payload Malformed)
5th exchange of Phase 1 Main Mode is about IDs and hashes, and there seems to be a mismatch here. This points into the direction what other contractors had to change. Maybe you can find an option on the WatchGuard to provide its public IP as a Phase 1 Local ID? I don't know WGs enough to tell you where to find that.
0
 
LVL 12

Author Comment

by:DLeaver
ID: 38880990
Update - still not resolved at this point

Tried using aggressive mode previously with no change.

I am arranging a 1 to 1 NAT from our managed firewall to our WG to see if this overcomes the issue.
0
 
LVL 12

Author Closing Comment

by:DLeaver
ID: 38943299
Thanks for the input

We have had to use an alternate method for now

However both valid suggestions which we hadn't considered

Thanks again
0
 
LVL 97

Expert Comment

by:Experienced Member
ID: 38943308
@DLeaver - Thank you and I was happy to help you with this.

.... Thinkpads_User
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So, you're experiencing issues on your network and you've decided that you need to perform some tests to determine whether your cabling is good.  You're likely thinking that you may need to spend money which you probably don't have on hiring/purchas…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question