Nokia VPN Tunnel problem

[yogeshpanwar]

Recently we migrated to Checkpoint on Nokia platform from windows platform.

Everything is working fine except VPN tunnnel.

We have noticed few strange things?

1) When we are trying to establish the Tunnel. Quick mode and aggressive mode is happening between our Internal FW-1 IP and Remote VIP.
Is that normal?

2) We are seeing logs as below.

IKE: Aggressive Mode no shared secret for myself and peer
encryption failure: Error occurred

3) IKE Communication on UDP port 500 is happening between our External VIP and Peers external VIP but response we are getting from peer internal IP.


Could anybody help me in this?

Thanks in advance.

Yogesh

[gavvys]

Hi
Well there is no issue with Nokia or windows.Kindly check the Checkpoint settings.
First try unchecking the aggressive mode and quick mode, let the VPN setup goes with default settings.
Second the error that you are getting in logs is due to the VPN phase 1 and phase 2 settings on both sides of the Firewalls.If there is PIX/Cisco router try removing the shared secret on the router/PIX and insert again, also make sure that the preshared secret is also inserted at your side.
I hope the other VPN settings are clear to you.
I hope this will help you.
If you need any help please let me know.
Regards
Ranjit

[mcnallym]

What Version are you running.

Is it all on one box, which IP address are you using as the main address of the box, ie what defined in the gateway object as the IP address.

I would suggest if NGX looking at the Link Selection setting under VPN and set it to be select and then select the external IP address.

[yogeshpanwar]

We are having two boxes Nokia boxes with VRRP configured and have separate smartcentre server. Checkpoint version at our end and is R62 and remote end its R55W.

We have this tunnel build on our private network. where we have static routes only for the both end external VIP address. do we need to add routes for the physical interface IP's of Nokia boxes as well? as per my understanding in cluster only External Virtual IP is required for the VPN negotation?

[yogeshpanwar]

Link selection is set to "based on the topology". but we tried changing that too but no same result.

Yogesh

[mcnallym]

You will see some traffic from the members address as well so I would add routes to say goto the members via the private network as well.

[yogeshpanwar]

Thanks for your valuable suggestions.

Yes, You are right I can see Active firewall physical IP's participating in IKE negotiation's. Also theoretically it is not required to add route for all the physical interfaces.
What's say?

even I can see in smartview tracker that our internal physical interface is completing Quick Mode with remote IP. which is very strange. Anything to do with Nokia configuration.

one more Question I have. In the current setup we have standalone windows firewall at one end and Nokia cluster at other end. We even do not have the route for other end physical IP's but its working fine.

[yogeshpanwar]

Anybody having more suggestions on this issue?


Thanks in advance.

Yogesh

[yogeshpanwar]

Hi,
Just to share with you.

We added Internel IP in Topology in remote peer in our firewall and selected that IP in the link selection then tunnel started working.

What was happening reverse traffic was coming from Internal interface of remote peer firewall.

Thanks for your help.

Yogesh