PDA

View Full Version : Quick Mode never tries on Linux site-to-site



RayPesek
2009-02-27, 14:34
We're trying to set up a site-to-site VPN from R65 HFA02 to a Linux box. The folks using the Linux box are known VPN experts for both Linux and Check Point. We're using a preshared secret.

Main mode completes perfectly and instantly. On the Check Point side, I never see anything else. No errors, no Quick Mode messages, absolutely nothing. On the Linux side they're seeing that their system is waiting for Phase 2 to start.

Nothing either of us do makes any difference. They already have numerous site-to-site VPNs set up with Check Point firewalls and set ours up identically.

Any guesses are greatly appreciated.

Thanks,

Ray

Thorpuse
2009-02-27, 21:52
Overlapping encryption domains? If Phase2 isn't starting, it's most likely because the traffic that is attempting to set up the tunnel isn't matching the encryption domain correctly. Check that the VPN domains on both sides are set correct, AND that they don't overlap with another site.

I'd also set up some debugging and look at the ike.elg file with IKEView. You may see that the phase 2 packet is being sent and/or dropped for some reason there.

RayPesek
2009-02-28, 13:50
Thanks. I did run an IKE debug but I don't have IKEVIEW. I didn't see anything in it referencing Phase 2 at all.

The encryption domain on the remote side is precisely two contiguous IP addresses (a .24 and a .25).

They are using this firewall for multiple site-to-site VPNs. I'll ask if another one they have set up overlaps ours.

Thanks for the suggestion,

Ray