site-2-site Checkpoint NGX vs. Microsoft ISA 2004

[Dazar]

I'm trying to setup a vpn S2S between this machines.
The encrypt tunnel is already up, and i accept connection from the ISA.
but i can't PING from the network behind the NGX to the ISA network.

here is the error msg (ping from NGX to ISA):
-----------------------------------------------------
Number: 8495484
Date: 27Mar2006
Time: 17:53:35
Product: VPN-1 Pro/Express
VPN Feature: IKE
Interface: daemon
Origin: ***-fw (*********)
Type: Log
Action: Reject
Reject Reason: IKE failure
Protocol: ip
Rule: 0 - Implied Rules
Encryption Scheme: IKE
VPN Peer Gateway: **** (********)
Subproduct: VPN
Information: encryption failure: no response from peer
---------------------------------------------
and the accept msg (ping from ISA to NGX)
-----------------------------------------------
Number: 8494161
Date: 27Mar2006
Time: 17:32:36
Product: VPN-1 Pro/Express
VPN Feature: VPN
Interface: eth1
Origin: ***** (*******)
Type: Log
Action: Decrypt
Source: ***** (******)
Destination: ******(192.168.1.248)
Protocol: icmp
Rule: 0 - Implied Rules
Encryption Scheme: IKE
VPN Peer Gateway: ***** (********)
Encryption Methods: ESP: 3DES + SHA1 + PFS
Community: *******
Subproduct: VPN
Information: service_id: icmp-proto
ICMP: Echo Request
ICMP Type: 8
ICMP Code: 0
----------------------------------------------------

Thanks,
Dudu

[gladiatorkev]

Hi,
I am facing a similar Issue ..!
The only difference is that my CP NGX is installed on a Nortel Networks Swiched Firewall 5111.
I am able to ping from ISA to NGX but not Vice-Versa.

Works Perfectly OK WITH R55..!!!!

Have you tried Changing the Source IP Address Selection Settings in
Gateway-- > VPN ---> LinkSelection---> IP Selection by Remote Peeer &
Gateway-- > VPN ---> LinkSelection---> Source IP Address Settings

By The value is Automatic (main Address)
Have you tried making this manual -- to the external IP Address ?!!!
Lets Discuss ..!

[RayPesek]

Check out this article and see if it gives any clues: http://www.isaserver.org/articles/20...ositecpv2.html

[gladiatorkev]

Hi ,
I have already tried that document and my VPN suing R55 works perfectly OK.!
But when i configure similar settings on NGX R60 the same configration does not work (VPN Tunnel allows one side pING ONLY..!).

There is a new setting in Gateway VPN Properties in NGX ---> Link Selection.
Tried Making it to Maula but still of no Help.

Any Suggestions..!?

[Lackie]

In VPN advanced, try changing to Custom settings > one VPN per each pair of hosts. This has worked in the past with a similar problem.

[gladiatorkev]

Hi !!
My VPN Worked with the following settings ..!
I defined my VPN in Smartdashboard using Trditional method instead of Simplified Method.

Made two rules in CP
1: Remote LAN --> Local LAN --> Encrypt --> IKE (Properties of IKE Same as in ISA side)

2: Reverse Rule of the above

In ISA defined my Remote end Point , Rules for Incoming and Outgoing as well as ROUTE rule.

Also defined ISA Gateway in CP as an interopearable device.

In my Local Gateway settings made VPN--> ADVANCED-- > Outgoing Interface- > Manual (Using External Interface of Gateway )
Source Address Selection -- > Manual (Using External Interface of Gateway )


The above settings were not available berfore NGX..

I have made a document on the above exercise.
Lemme know if anyone needs any.

Kev

[kranti]

Hi,
I am facing similar problem when I and creating vpn between ISA 2004 and check point ngx...
Please provide the document created by you.
Thanks;;