 | ||
 R61 and Edge X VPN established but no communication. | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2006-11-06 | |||
| |||
 R61 and Edge X VPN established but no communication. We have created a VPN (Site to Site) between HQ office and 2 branch offices (NGX R61 running on SecureOS and Edge Appliance X Series v6). We have followed the guide taken from Checkpoint knowledgebase (http://secureknowledge.checkpoint.co...do?id=sk30945). Using this guide we have managed to establish a VPN connection between HQ and these 2 branches. However, after the connection is up, we are unable to do any communication between HQ and these branches. I have checked the log in the SmartView Tracker and it seems that when we ping or do any communication between these sites, there are no logs indicating traffic (even though I have created the necessary policies IN and OUT to allow the traffic; and enabled logging for these policies). Here are the details: HQ and Branch 1: ----------------- 1. Connection is established. 2. A check with the edge unit’s Event Log indicated the following: 00074 06Nov2006 17:49:25 IKE Phase1: Completed successfully with VPN peer 219.95.119.178 [Security: AES-256/MD5 Expire Time: 23 hour(s), 59 minute(s), 59 second(s) NAT-T: turned off] 00075 06Nov2006 17:49:25 IKE Phase2: Completed successfully with VPN peer 219.95.119.178 [My Ranges: 211.24.192.99-211.24.192.99 Peer Ranges: 219.95.119.178-219.95.119.178 Security: AES-128/MD5 Expire time: 1 hour(s), 0 second(s) NAT-T: turned off] 3. Checking the Edge device’s Report section in the Active Connections and VPN Tunnels also shows that the VPN is up. 4. Rules has been created in R61 to allow communication between HQ and Branch 1 (this log creation was done according to the guide from Checkpoint and logging was enabled). 5. We tried to Ping from branch to HQ network and also from HQ to branch network. The Ping timed out. When we checked the log using SmartView Tracker, there were no entries indicating any communication. 6. FYI: When I created the tunnel in the Edge appliance, it was set to bypass firewall as mentioned by the guide (therefore no firewall rules were needed). 7. In SmartView Tracker however, there was a log entry as following (indicating the establishment of the tunnel): Product: VPN-1Pro/Express VPN Feature: IKE Action: Key Install Source: Branch 1 Edge Public IP Destination: R61 Management IP Encryption Scheme: IKE VPN Peer Gateway: Branch 1 Edge Public IP Information: IKE: Quick Mode Completion HQ and Branch 2: ----------------- 1. Connection is established. 2. A check with the edge unit’s Event Log indicated the following: 16019 06Nov2006 18:27:50 IKE Phase1: Completed successfully with VPN peer 219.95.119.178 [Security: AES-256/MD5 Expire Time: 23 hour(s), 59 minute(s), 59 second(s) NAT-T: turned off] 16020 06Nov2006 18:27:50 IKE Phase2: Completed successfully with VPN peer 219.95.119.178 [My Ranges: 219.95.126.202-219.95.126.202 Peer Ranges: 219.95.119.178-219.95.119.178 Security: AES-128/MD5 Expire time: 1 hour(s), 0 second(s) NAT-T: turned off] 3. Checking the Edge device’s Report section in the Active Connections and VPN Tunnels also shows that the VPN is up. 4. Rules has been created in R61 to allow communication between HQ and Branch 2 (this log creation was done according to the guide from Checkpoint and logging was enabled). 5. We tried to Ping from branch to HQ network and also from HQ to branch network. The Ping timed out. When we checked the log using SmartView Tracker, there were no entries indicating any communication. 6. FYI: When I created the tunnel in the Edge appliance, it was set to bypass firewall as mentioned by the guide (therefore no firewall rules were needed). 7. THIS IS THE WEIRD PART. In SmartView Tracker however, there were 2 log entries always being repeated: Log Entry 1: Product: VPN-1Pro/Express VPN Feature: IKE Action: Key Install Source: Branch 2 Edge Public IP Destination: R61 Management IP Encryption Scheme: IKE VPN Peer Gateway: Branch 2 Edge Public IP Information: IKE: Phase 1 received notification from peer; client encryption notification Log Entry 2: Product: VPN-1Pro/Express VPN Feature: IKE Action: Reject Protocol: ip Rule: 0 – Implied Rules Encryption Scheme: IKE VPN Peer Gateway: Branch 2 Edge Public IP Information: encryption failure: no response from peer Any idea what could be going on? How do I proceed to troubleshoot what could be causing this issue? Thanks.  |
| 2006-11-06 | |||
| |||
| Re: R61 and Edge X VPN established but no communication. Which options do you use in Link Selection for R61 module's object? And what IP address (external or not)? Did you select VPN domain for Edge object? |
| 2006-11-06 | |||
| |||
| Re: R61 and Edge X VPN established but no communication. Which options do you use in Link Selection for R61 module's object? And what IP address (external or not)? Did you select VPN domain for Edge object? Hi, 1. In the R61 module's object: Checkpoint Gateway>VPN>Link Selection: -IP Selection by remote peer: Locally managed VPN peers will determine this gateway's IP address using one of the following method: Selected is "MAIN ADDRESS" 2. Our Checkpoint WAN IP is a private IP. The WAN port is connected to another device which holds all public IP. And we have created a static 1-to-1 NAT from this public IP to Checkpoint's WAN IP. ISP Device ----------- Checkpoint 210.187.83.86 NATED TO 192.168.10.86 3. VPN Domain in Edge: In VPN-1 Edge/Embedded Gateway Properties: Topology>VPN Domain>Manually Defined>Selected the remote site's network that we have defined in Network Objects. |
| 2006-11-06 | |||
| |||
| Re: R61 and Edge X VPN established but no communication. Sorry, made a mistake in my previous explanation. Here are the correct info: Hi, 1. In the R61 module's object: Checkpoint Gateway>VPN>Link Selection: -IP Selection by remote peer: Locally managed VPN peers will determine this gateway's IP address using one of the following method: Selected is "MAIN ADDRESS". Our HQ check point's WAN IP is a public IP (I got it confused with another check point that we have). This public IP is assigned to the Checkpoint device's WAN port. 2. VPN Domain in Edge: In VPN-1 Edge/Embedded Gateway Properties: Topology>VPN Domain>Manually Defined>Selected the remote site's network that we have defined in Network Objects. |
| 2006-11-07 | |||
| |||
| Re: R61 and Edge X VPN established but no communication. I would try to select specific IP address (wan public for firewall module) in Lins Selection page. And... select log all connections, because if you don't ping site from behind edge, you should see these packets on Edge's log (not in SmartView Tracker). |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
