SecureClient disconnected when site2site vpn tunnel up

anakalem · #1 (**permalink**) 2008-01-22

Hi all,

i have problem and i need your expertise.
I have configured remote access vpn and site to site vpn. Both work if activate it one at a time.
The problem is actually with remote access, when i remote the the firewall and then i bring up the tunnel of that firewall to other firewall (site2site), my secureclient got disconnected. Here the diagram :

HostA (me)---->FWA=====FWB

FWA have site2site vpn with FWB, while iam still using the remote. The one who disconnect is FWA.
The error said No valid SA in the tracker. The community of course is different.

Can both type VPN active in one firewall? if yes, what's the catch?

Please advise

Thank you

Cheers
Kalem

Thorpuse · #2 (**permalink**) 2008-01-22

The problem is that your SR connection is NATted behind the FireWall's IP address. THe firewall is configured to expect a site-site VPN connection from that IP, not a Remote Access VPN connection. You can resolve this by using a different IP address to Hide-NAT outbound connections, just ensure that this address is outside the encryption domains.

mcnallym · #3 (**permalink**) 2008-01-23

Or do this

enable the send_clear_traffic_between_encryption_domains property in objects_5_0.C. on the SMARTCenter and then install a policy to the gateways.

You cannot run a Remote Access VPN connectivity when sat inside the encryption domain of another gatewat that has a site-site VPN connection.

This is the recomended Check Point solution from the VPN Admin Guide.

If you have a site to site tunnel then whey need to build a Remote Access as well.

This requires that FWA and FWB are managed from the same SMARTCenter and only works if you have one active site defined on your Remote Access Client.

anakalem · #4 (**permalink**) 2008-01-24

Quote:

Originally Posted by mcnallym

This requires that FWA and FWB are managed from the same SMARTCenter and only works if you have one active site defined on your Remote Access Client.

Guys big thank you for your solutions. However, solution from thorpuse i dont think it may work in my case, since we only have 1 ip range for public / external interfaces, the rest, is the private ip.

solution from mcnallym, this two firewall, basically not managed by the same smartcenter, since the othe rone is different vendor managed it. Probably can't do as well.

Maybe i must enforce them to use site to site rather than remote access.
Thank you guys... if there is any solution, i'll be very grateful

regards
Kalem

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode