Solved

VPN Issue

Posted on 2013-02-02
5
565 Views
Last Modified: 2013-03-01
Afternoon

I have a VPN issue which is giving me a headache - and I've solved my share of VPN issues.

My customer requires vpn access to external contractors, using site to site VPN connections locked down to specific servers.

This all worked fine when they had a traditional internet connection plugged directly into their Watchguard.  However this changed recently when they switched to an MPLS network with an internet breakout with managed firewall.

All relevant traffic is forwarded from the managed firewall to the Watchguard.  And the external interface on the Watchguard now has an internal address assigned by the MPLS provider - 192.168.x.x/27

All external contractors VPN's are working bar one, and they are using a Checkpoint firewall.

Alternate contractors are using Watchguards or Drayteks and they are fine.

The connection appears to be made at both ends but there is no traffic flowing between the sites.  The contractor says they can see traffic going out but the WG shows no received packets.

The contractors with Watchguards had to specify the authentication gateway as the Watchguard interface as the only change.  There isn't this option on the Checkpoints.

A log snippet attached shows the errors when I ping out from the WG, to me it appears a endpoints are seeing each other but the actual 1st and 2nd modes are not actually occuring - which is weird as I would have thought this would have stopped the connection from even occuring?....

All phases of authentication have been triple checked....and the triple checked again

Before its is suggested, adding a separate external line is not an option to avoid the effective double NAT.  If other VPN's are working then so can this one

All suggestions welcomed
Thanks
Firewall-Issue.bmp
0
Comment
Question by:DLeaver
  • 2
  • 2
5 Comments
 
LVL 90

Accepted Solution

by:
John Hurst earned 250 total points
ID: 38846766
I am not familiar with your gear (and details are important).  Two suggestions:

1. I see you are using main mode (fine). Try agressive mode to see if that makes a change. You can always revert right back.

2. See if you have a variable for NAT Traversal and enable NAT Traversal. I need that for some of my Cisco - Juniper site to site connections.


... Thinkpads_User
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 250 total points
ID: 38847604
Key messages are
   Sending fifth message
   ...
   Received inform notify: (Payload Malformed)
5th exchange of Phase 1 Main Mode is about IDs and hashes, and there seems to be a mismatch here. This points into the direction what other contractors had to change. Maybe you can find an option on the WatchGuard to provide its public IP as a Phase 1 Local ID? I don't know WGs enough to tell you where to find that.
0
 
LVL 12

Author Comment

by:DLeaver
ID: 38880990
Update - still not resolved at this point

Tried using aggressive mode previously with no change.

I am arranging a 1 to 1 NAT from our managed firewall to our WG to see if this overcomes the issue.
0
 
LVL 12

Author Closing Comment

by:DLeaver
ID: 38943299
Thanks for the input

We have had to use an alternate method for now

However both valid suggestions which we hadn't considered

Thanks again
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 38943308
@DLeaver - Thank you and I was happy to help you with this.

.... Thinkpads_User
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Hi there, This article summarizes what you need if you are going to set up your home or small business Network Attached Storage (NAS) to be accessible from the internet. Of course there are configuration differences based on your NAS or router ma…
Transparency shows that a company is the kind of business that it wants people to think it is.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now