Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 26 replies
  • Subscribers 3 subscribers
  • Views 27503 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM9 => Checkpoint IPSec S2S VPN

thentom
Hi,
I established an IPSec Site2Site VPN between our UTM and a Checkpoint Firewall. 
Both sides are using networks (not hosts) to be encrypted.
local: 10.33.86.0/24  remote: 172.20.250.0/24
The tunnel works, I can reach IPs in remote network 172.20.250.0/24
but the remote network can't reach IP's in my local network 10.33.86.0/24

This is the corresponding error message:

2013:01:03-18:14:38 fw-1 pluto[24905]: "S2S_1" #12: cannot respond to IPsec SA request because no connection is known for 10.33.86.5/32===***.***.x.2[***.***.***.2]...***.***.***.4[***.***.***.4]===172.20.250.10/32
2013:01:03-18:14:38 fw-1 pluto[24905]: "SS2S_1" #12: sending encrypted notification INVALID_ID_INFORMATION to ***.***.***.4:500

To work around this issue I added the host 10.33.86.5/32 to our local networks and 172.20.250.10/32 to the remote networks. As result, all IPs in 10.33.86.0/24 were reachable from remote side.
We compared everything 10 times. Tunnels between 2 Astaro UTMs are working as expected.
Does anybody have an idea about this?
Cheers
Thomas


This thread was automatically locked due to age.
Parents
  • 0
    Had you already defined the Local and Remote networks, or were these IPs all you put in them?
    You do need to put your networks that you want to communicate over the VPN into those settings.

    If you're still having issues, please post screenshots of the configuration (hit 'Go Advanced' in this forum to upload attachments).

    Barry
  • 0 in reply to BarryG
    Had you already defined the Local and Remote networks, or were these IPs all you put in them?
    You do need to put your networks that you want to communicate over the VPN into those settings.

    If you're still having issues, please post screenshots of the configuration (hit 'Go Advanced' in this forum to upload attachments).

    Barry


    Hi, 
    As I wrote in my first post:
    local: 10.33.86.0/24  remote: 172.20.250.0/24 were defined.
    Communication from 172.20.250.x to 10.33.86.x was not working with these config.
    But it worked with local: 10.33.86.0/24 and 10.33.86.5/32  remote: 172.20.250.0/24, 
    where 10.33.86.5 is the UTMs local interface IP.
    So it works, but it looks strange to me and I thought someone could explain it.
    Cheers
    Thomas
Reply
  • 0 in reply to BarryG
    Had you already defined the Local and Remote networks, or were these IPs all you put in them?
    You do need to put your networks that you want to communicate over the VPN into those settings.

    If you're still having issues, please post screenshots of the configuration (hit 'Go Advanced' in this forum to upload attachments).

    Barry


    Hi, 
    As I wrote in my first post:
    local: 10.33.86.0/24  remote: 172.20.250.0/24 were defined.
    Communication from 172.20.250.x to 10.33.86.x was not working with these config.
    But it worked with local: 10.33.86.0/24 and 10.33.86.5/32  remote: 172.20.250.0/24, 
    where 10.33.86.5 is the UTMs local interface IP.
    So it works, but it looks strange to me and I thought someone could explain it.
    Cheers
    Thomas
Children
No Data
Unfiltered HTML