Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 26 replies
  • Subscribers 3 subscribers
  • Views 27502 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM9 => Checkpoint IPSec S2S VPN

thentom
Hi,
I established an IPSec Site2Site VPN between our UTM and a Checkpoint Firewall. 
Both sides are using networks (not hosts) to be encrypted.
local: 10.33.86.0/24  remote: 172.20.250.0/24
The tunnel works, I can reach IPs in remote network 172.20.250.0/24
but the remote network can't reach IP's in my local network 10.33.86.0/24

This is the corresponding error message:

2013:01:03-18:14:38 fw-1 pluto[24905]: "S2S_1" #12: cannot respond to IPsec SA request because no connection is known for 10.33.86.5/32===***.***.x.2[***.***.***.2]...***.***.***.4[***.***.***.4]===172.20.250.10/32
2013:01:03-18:14:38 fw-1 pluto[24905]: "SS2S_1" #12: sending encrypted notification INVALID_ID_INFORMATION to ***.***.***.4:500

To work around this issue I added the host 10.33.86.5/32 to our local networks and 172.20.250.10/32 to the remote networks. As result, all IPs in 10.33.86.0/24 were reachable from remote side.
We compared everything 10 times. Tunnels between 2 Astaro UTMs are working as expected.
Does anybody have an idea about this?
Cheers
Thomas


This thread was automatically locked due to age.
Parents
  • 0
    So there is additional info:
    LOCAL:
    Model ASG320
    Firmware version:9.004-34
    local network: 172.26.32.24
    local gateway: 159.xx.xx.xx
    IKE: Auth PSK / Enc AES_CBC_256 / Hash HMAC_SHA1 / Lifetime 7800s / PFS MODP_1024
    IPsec: Enc AES_CBC_128 / Hash HMAC_SHA1 / Lifetime 3600s

    REMOTE:
    Check Point R75.10
    vpn-gateway (remote gateway)- 193.xx.xx.xx; 
    vpn-domain (remote network) - 172.30.18.81; 
    Encryption Method - IKEv2, IKEv1; 
    Encryption Suite Phase1 - AES256/SHA1/Goup2(1024bit); 
    Encryption Suite Phase2 - AES128/SHA1/Goup2(1024bit);

    Please see attachments for screenshots of both systems.
    So I can reach remote (172.30.18.81), but remote network can't reach local (172.26.32.24)
    Checkpoint.zip
Reply
  • 0
    So there is additional info:
    LOCAL:
    Model ASG320
    Firmware version:9.004-34
    local network: 172.26.32.24
    local gateway: 159.xx.xx.xx
    IKE: Auth PSK / Enc AES_CBC_256 / Hash HMAC_SHA1 / Lifetime 7800s / PFS MODP_1024
    IPsec: Enc AES_CBC_128 / Hash HMAC_SHA1 / Lifetime 3600s

    REMOTE:
    Check Point R75.10
    vpn-gateway (remote gateway)- 193.xx.xx.xx; 
    vpn-domain (remote network) - 172.30.18.81; 
    Encryption Method - IKEv2, IKEv1; 
    Encryption Suite Phase1 - AES256/SHA1/Goup2(1024bit); 
    Encryption Suite Phase2 - AES128/SHA1/Goup2(1024bit);

    Please see attachments for screenshots of both systems.
    So I can reach remote (172.30.18.81), but remote network can't reach local (172.26.32.24)
    Checkpoint.zip
Children
No Data
Unfiltered HTML