define "Solution-GW" with dynamic addressĢ. enable NAT-traversal on "Solution-GW" and "DC-GW"ġ.
If you forward any ESP/IKE/IPSEC-packet on "CUSTOMER-GW" you get the shown error.Ġ. If "Solution-GW" is defined with dynamic IP-address, you don't need any NAT for management and VPN on "CUSTOMER-GW".Īll connections are initiated from the "Solution-GW". This is important, without NAT-T you can't get the tunnel working for both directions. I think there is something wrong in your configuration.įirst of all you have to enable NAT-traversal and on "CUSTOMER-GW" you have to allow NAT-T like Maarten suggests. Some colleagues suggest using a dedicated pub-IP for the 1430 - but in the planned szeanrio this is not possible Session inside the VPN initated from behind the DAIP 1430 -> packets are running seamless to DC and the response is working also fine Session inside the VPN initated in DC -> no connection possible WAN Checkpoint drops IP/0 Strange part: Starting the ICMP behind the 1430 in direction to DC - I get stable responses. So the VPN Packet does not arrive at the 1430. Static Natting from the DC IP is configured but not taken into account. The encapsulated "VPN Packet" is routed correct, because the WAN Checkpoint also has VPN Softwareblade enabled it drops all IP/0 packets which are not matched by its internal SA, SPI list. This is the reaction of the WAN Checkpoint when I start a ICMP from the DC to the LAN behind the 1430 Appliance using the VPN TUNNEL
The point i do not understand is, the "client" initated connection throw the VPN is working fine, the DC initated connection does not work. VPN Tunnel is established without issues. Thanks in advance Christianįor testing purpose i have built up an rule which allows everything between the internal GW and the DC Checkpoint. So the main question: How can I avoid the dropping of the IP0 packets on Customer FW and make sure these packets where forwarded as configured in the Static NAT? I do not have the possibility of a dedicated public IP for this. (On DC-GW packtes are encrypted as expected.) - which is in fact not wrong the Customer-GW has of curse no matching SA for this VPN Connection. Management Traffic between DC and SOL is no problem - fetching policy and changes works like charm.Ĭustomer-GW is dropping all incomming IP0(0/0) packets because of missmatch in SA, when starting communication vom DC-GW. SOL-GW-IP - DC-IP - any - Customer IP - original Source - Dest - srv - trans Source - trans destĭC-IP - Customer IP - any - original - SOL-GW-IP
CHECK POINT VPN USING WRONG SOURCE IP PC
I have a strange problem nobody seems to have a solution for.Ĭheckpoint GW 80.30 ("DC-GW") -> Internet ICMP -> DATACENTER PC is okĭATACENTER PC -> ICMP -> BRANCH PC is failing.
0 kommentar(er)
