Traditional VPN mode question

[philofish]

Sorry again people for probably asking silly questions but here goes

If i am trying to configure a tradtional mode VPN and i have two enforcement points [enf1 = 192.168.1.1 external interface] and [enf2 = 192.168.2.1 external interface] - this is a lab env by the way

I understand that in traditional mode the enforcement modules are controlled by one smart centre server? if that is correct

So enf1[1.1] ----->router [1.2 & 2.2]-------->enf2[2.1]
The management server is behind enf1
When create a SIC between the management server and enf2 everything works ok - when i apply a rulebase to both with the following

Src DST SRV ACT Install on
mgmt srv enf1 & 2 Any log enf1 & 2

After this has applied i then try and establish a SIC connection but get a 18182 TCP connection time out -
I do have NAT setup - is it just me getting my rules in a muddle?

Thanks ---

[melipla]

I thought most of the manager server -> enforcement module communication was handled by implied rules? If not maybe you need to allow enf2 -> management server for a response? I'm sure you would've seen those drops if that were the case.

I've seen some weird things with NAT--it may be a cause, any chance you can disable it and test? However it primarily sounds like a routing problem to me. Does enf2 have a route back to the management server?

[philofish]

Quote:

Originally Posted by melipla

I thought most of the manager server -> enforcement module communication was handled by implied rules? If not maybe you need to allow enf2 -> management server for a response? I'm sure you would've seen those drops if that were the case.

I've seen some weird things with NAT--it may be a cause, any chance you can disable it and test? However it primarily sounds like a routing problem to me. Does enf2 have a route back to the management server?

Thanks - yes i do have route back - I need to NAT to allow my smart centre access to the remote gateway enf2

Am i right in thinking that i could have someone set up the remote firewall for me and i just connect using the implied rules? or would i have to have setup the remote fwall with all the rules and then shipped it out? I can even perform a fw fetch from the remote gateway - again as soon as the policy is installed the SIC connection fails - its defo a problem between the management server and the remote fwall - really stuck - i thought implied rules would allow me to have set this up easy peasy - seems not!

Thanks again

ADDENDUM - it was a TCP 18191 connection timed out - apologies

[melipla]

Far as I know the implied rules should take care of it. Your problem may be related to Anti Spoofing, from Solution ID: #sk21828:

* error: "TCP connectivity failure on port 18191" when installing policy

Cause
Firewall module network object has misconfigured anti-spoofing settings for the interface which is receiving the security policy download communication

Solution
Correct anti-spoofing settings for particular interface.
Procedure:

On the SmartDashboard
1. Select Manage > Network Objects
2. In Network Objects manager > select firewall module object
3. Click on Edit
4. In Check Point Gateway dialog box > Topology
5. Select appropriate internal interface from interfaces list
6. Click on Edit
7. In Interface Properties dialog box > Topology tab
8. In Topology tab, verify that "Internal" option selected
9. Verify that "Specific" option is selected in "IP Addresses behind this interface" section
10. Select correct network object or group object representing all of the subnets behind this internal interface from "Specific" drop down list
11. Click OK in Interface Properties dialog box
12. Click OK in Check Point Gateway dialog box
13. Click Close in Network Objects dialog box
14. Install policy

[philofish]

Many Thanks for the reply - but do you know what it was and this is what is confusing me a little -
I am going to post up another question becuase i want to get this right in my head.

Many thanks