 | ||
 Again: a port=18191 TCP connectivity failure | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2006-02-27 | |||
| |||
 Again: a port=18191 TCP connectivity failure hello... I have a problem which is similar to this in "traditional mode vpn question"... i have the following lab env network configuration: -- WS01 -------- FW01 -------- Router ------- FW02 ----- WS02 -- mgmt --------- NGX -------- "internet" ------ NGX ------ client 192.168.x.x ----192.168.x.x ---- 83.220.x.x----83.220.x.x --------------- 193.178.x.x----193.178.x.x --- 10.2.x.x-----10.2.x.x the networks behind the firewalls are NATed behind their gateways... as long as have ordinary rules, everything works fine. I can place policies on both firewalls... ping from WS01 to FW02... and all seems to work. but if I try to set up a site-to-site vpn, of course in simplified mode :) , I get an error while installing the policies ont he firewalls. on FW01 the installing always works fine... but on FW02 mysteriously the installation always fails! when try to install the policy with the vpn configured first on FW01, i cannot ping my FW02, but the internet... if i try to install it first on FW02, installation fails, and I only communicate with FW02 after reseting the SIC on FW02 and the mgmt station. :( the installation error on FW02 is always the NG-standard-error ;) "TCP connectivity failure (port=18191) (IP=X) [error no. 10]"... a one-time error was "peer sent SIC name that is different than the one configured for it in smartcenter server..." but that was not reconstructable when doing the same procedure like I always do: create a meshed vpn, installing the policies, reseting SIC on both sides because installation failed... i also tried to do so many things you find if you refer to the internet... like the standard 18191-solution melipla sent in the posting in "traditional mode vpn question"... but it really don't works! only one time i found a problem which seemed to be similar to mine... but with no solution... :( i hope you can help me out of this problem. asap would be nice :) thanks to all of you reading this long text and trying to help me! regards, jean-marc Last edited by jm.sch; 2006-02-27 at 08:11.  |
| 2006-02-28 | |||
| |||
| Re: Again: a port=18191 TCP connectivity failure good morning! yesterday evening i made some things work by setting the routes another way... so here my original routes: MGMT-----------------------FW01--------------"INET"-----------------FW02---------------WS02 def.GW: FW01----------def. route: INET-----GW_enable=yes--------def. route: INET-----def GW: FW02 -------------------------------------------router_enable=yes yesterday i set the routes on INET, which is unthinkable in real life, I think, in that way that I could ping WS02 from my mgmt WS01 and back... without NATing! --> route1: 192.168.x.0/24 193.178.x.x (FW01), route2:10.2.x.0/24 83.220.x.x (FW02) then I tried to put the policies again, and it worked, also on FW02! the vpn tunnel also works, but only if i set the routes on inet, when i delete them, I cannot reach FW02! do I have "only" a routing problem? or with NAT? I am not supposed to to set routes on INET, especially when i handle with private ip's :) so the only way will be setting routes on the FW's or doing some strange NAT, I think... or am I thinking the wrong way? regards, Jean-Marc Last edited by jm.sch; 2006-02-28 at 04:01. |
| 2006-02-28 | |||
| |||
| Re: Again: a port=18191 TCP connectivity failure Hi Jean-Marc, It's a bit hard to decipher exactly what's going on there, but you're definitely correct in that the routing you setup is not valid on the internet. The 'Internet' - in this case your router should only know how to connect to the two endpoints: the outside interface addresses of the two firewalls. It should not have 'visibility' of either the WS01 mgmt or WS02 client (the VPN is tunnelled through this connection). Additionally the 10.x.x.x and 192.168.x.x addresses are RFC 1918 non internet routable. Your problem is more likely with NAT I'd guess. I saw another problem on the forum where someone had posted a PIX to Check Point site-to-site VPN, but had allowed so much access that packets could pass between the gateways unencrypted (try to avoid doing that). If the VPN setup correctly, you should see IKE Phase 1, 2 entires and encrypt decrypt entries in SmartView Tracker. From what I gather (I've only so far done Check Point --> other vendor VPN), you should setup Static Address Translation for the Management Server, WS01 to an address on the outside of FW01. I'd guess you should use an additional address here and not the address of the firewall (for example create another object for the static address?). You should also configure the necessary Security Access rule on FW01 for the MGMT Server WS01 to contact FW02. The next steps would then be to load the policy on FW01 first, then FW02. Finally remember that creating a VPN doesn' t give the endpoints access to each other; you need a Security Rule on each? Firewall referencing the VPN Community and specifying access. Any help? - comments from anyone else? |
| 2006-03-07 | |||
| |||
| Re: Again: a port=18191 TCP connectivity failure i think i've solved it... the main reason i think was that th ip-addresses of the NG's in the general properties windows wasn't the right ones... the ip-addresse of FW1 was 192.xxx and the ip of FW2 was 10.xxx... now i've switched both to the external ip's, FW1 to 193.xxx and FW2 to 83.xxx... now all works fine... until my next problem... :) thank you very much, i also generated an external host for nating, and it works fine, too :) jean-marc |
| 2006-03-07 | |||
| |||
| Re: Again: a port=18191 TCP connectivity failure Welldone Jean-Marc. That's a common mistake; the address in the general properties of the enforcement module should always be the externally facing one - VPN's will not work otherwise. |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
