Need Help - Pb Lan2Lan between SplatPRO R65 and Nokia R65

[gustave69]

Hi,

I try to set up a VPN tunnel between my chekpoint/splatPRO ( cause Nic drivers ) R65 HFA30 and a Nokia/checkpoint R65 HFA40. All parameters seems to be ok (This is not my first tunnel, i have arround 50 tunnels in parallel, working fine) , but for this one i get " Packet is drop because no valid SA. Refer sk 19423"
My VPN SPLAT is in traditionnal mode and my client's Nokia in Communauty mode
Checkpoint/SPLAT to chekpoint/NOKIA VPNs seems to be a bad idea !!!!

Is anyone got a idea ?

Thanks a lot

[chillyjim]

Unless it is a route-based VPN (aka VTI) it should work just fine.
Time to look at the IKE & VPN debugs:

vpn debug on
vpn debug ikeon

files will be $FWDIR/log

Remember to turn off the debugs before you fill the harddrive :)

[gustave69]

Yes, it should works, but it doesn't ;-(

But, I've got a clue. The renegotiation of IPSec Ike Phase 2 parameter is set to 3600s in both side, but when there is no traffic in the tunnel for a hour, the renegotiation seems not starting ( nothing in log ), so the message "Packet is drop because no valid SA" when try to contact the other side after a hour
When there is traffic in the tunnel , the renegotiation is OK

Is there a way to simulate traffic in the tunnel for renegociation to work ?

Thx à lot

[mcnallym]

If you was community at both ends then could use the Permament Tunnel feature available in the community to do this.