'[FW-1] R: [FW-1] R: [FW-1] Nokia IP40 VPN site to site tunnel doesn't work'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewall-1
Subject:    [FW-1] R: [FW-1] R: [FW-1] Nokia IP40 VPN site to site tunnel doesn't work
From:       Landolina Salvatore <s.landolina () REPLY ! IT>
Date:       2005-04-28 14:21:32
Message-ID: 98103656952FCA45B9AC2BCD50474C180313D988 () to1mbxs03 ! replynet ! prv
[Download RAW message or body]

yes maybe vpn debug could be useful.

In any case, if the problem is the wrong source address in packets the solution is \
                the following:
- close Dashboard
- stop Smart Center with cpstop or fw stop
- change the parameter 'IPSec_main_if_nat' to 'true' in $FWDIR/conf/object_5_0.C on \
                the Smart Center(by hand or with guidbedit, I've made by hand and it \
                has worked)
- restart Smart Center with cpstart or fw start
- reinstall policies

bye

---------------------------------------------------------------
Salvatore Landolina
Spike Reply S.r.l.
Via Ripamonti, 89                   20139  Milano
tel  +39 02 53576.1                  fax    +39 02 53576.444
e-mail s.landolina@reply.it
www.reply.it
---------------------------------------------------------------



________________________________

Da: Mailing list for discussion of Firewall-1 per conto di Andrew Smaff Matthews
Inviato: gio 28/04/2005 13.49
A: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Oggetto: Re: [FW-1] R: [FW-1] Nokia IP40 VPN site to site tunnel doesn't work



On Thu, Apr 28, 2005 at 09:40:01AM +0200, Landolina Salvatore wrote:
> I had a similar problem with VPN between IP40 and R55. The trouble was
> that ESP packets outgoing from Check Point to Ip40 had a wrong SOURCE
> address. The source address of outgoing packets had the ip address of a
> INTERNAL interface and not the EXTERNAL as it should be normally.... Try
> to run tcpdump on the external interface and check ESP packets....
> 
Always good advice. If that's not the problem, then using:

        vpn debug trunc

On your R55 firewall is always useful (creates a file called something along
the lines of $FWDIR/log/vpnd.elg - which is plain text, but not plain
english :> Some knowledge of the IKE/IPsec protocols is very useful here).

Don't forget to:
        vpn debug off

When you've done, or you'll be generating a real big logfile (over time).

                Smaff

--
You happen to be here, now.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic