Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

VPN Issue

Posted on 2013-02-02
5
Medium Priority
?
585 Views
Last Modified: 2013-03-01
Afternoon

I have a VPN issue which is giving me a headache - and I've solved my share of VPN issues.

My customer requires vpn access to external contractors, using site to site VPN connections locked down to specific servers.

This all worked fine when they had a traditional internet connection plugged directly into their Watchguard.  However this changed recently when they switched to an MPLS network with an internet breakout with managed firewall.

All relevant traffic is forwarded from the managed firewall to the Watchguard.  And the external interface on the Watchguard now has an internal address assigned by the MPLS provider - 192.168.x.x/27

All external contractors VPN's are working bar one, and they are using a Checkpoint firewall.

Alternate contractors are using Watchguards or Drayteks and they are fine.

The connection appears to be made at both ends but there is no traffic flowing between the sites.  The contractor says they can see traffic going out but the WG shows no received packets.

The contractors with Watchguards had to specify the authentication gateway as the Watchguard interface as the only change.  There isn't this option on the Checkpoints.

A log snippet attached shows the errors when I ping out from the WG, to me it appears a endpoints are seeing each other but the actual 1st and 2nd modes are not actually occuring - which is weird as I would have thought this would have stopped the connection from even occuring?....

All phases of authentication have been triple checked....and the triple checked again

Before its is suggested, adding a separate external line is not an option to avoid the effective double NAT.  If other VPN's are working then so can this one

All suggestions welcomed
Thanks
Firewall-Issue.bmp
0
Comment
Question by:DLeaver
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 98

Accepted Solution

by:
John Hurst earned 750 total points
ID: 38846766
I am not familiar with your gear (and details are important).  Two suggestions:

1. I see you are using main mode (fine). Try agressive mode to see if that makes a change. You can always revert right back.

2. See if you have a variable for NAT Traversal and enable NAT Traversal. I need that for some of my Cisco - Juniper site to site connections.


... Thinkpads_User
0
 
LVL 71

Assisted Solution

by:Qlemo
Qlemo earned 750 total points
ID: 38847604
Key messages are
   Sending fifth message
   ...
   Received inform notify: (Payload Malformed)
5th exchange of Phase 1 Main Mode is about IDs and hashes, and there seems to be a mismatch here. This points into the direction what other contractors had to change. Maybe you can find an option on the WatchGuard to provide its public IP as a Phase 1 Local ID? I don't know WGs enough to tell you where to find that.
0
 
LVL 12

Author Comment

by:DLeaver
ID: 38880990
Update - still not resolved at this point

Tried using aggressive mode previously with no change.

I am arranging a 1 to 1 NAT from our managed firewall to our WG to see if this overcomes the issue.
0
 
LVL 12

Author Closing Comment

by:DLeaver
ID: 38943299
Thanks for the input

We have had to use an alternate method for now

However both valid suggestions which we hadn't considered

Thanks again
0
 
LVL 98

Expert Comment

by:John Hurst
ID: 38943308
@DLeaver - Thank you and I was happy to help you with this.

.... Thinkpads_User
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So, you're experiencing issues on your network and you've decided that you need to perform some tests to determine whether your cabling is good.  You're likely thinking that you may need to spend money which you probably don't have on hiring/purchas…
Before I go to far, let's explain HA (High Availability) and why you should consider it.  High availability is the mechanism used to provide redundancy to any service at the same site and appears as a single service to the users of that service.  As…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question