[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] IKE VPN Illegal <---> Illegal
Hi, I have the following setup... Checkpoint 4.1 SP3 Stand-Alone on NT 4.0 SP6a (both machines) Internal_NetA(172.16.1.0) ------> FW-A ---router---> Internet <---------FW-B <---router--------Internal_NetB(192.168.1.0) I'm using IKE with a shared secret, 3DES + MD5 Phase 1 and Phase 2 complete without any problems. The rule is as follows: # Source Destination Service Action 1- Internal_NetA Internal_NetB ANY Encrypt 2- Internal_NetB Internal_NetA ANY Encrypt Encryption domain is... For FW-A is Internal_NetA + FW-A For FW-B is Internal_NetB + FW-B Address Translation On FW-A Internal_NetA ---> Internal_NetA orig. orig. orig. Internal_NetA ---> Any FW-A orig. orig. On FW-B Internal_NetB ---> Internal_NetB orig. orig. orig. Internal_NetB ---> Any FW-B orig. orig. The problem i'm having is that from Internal_NetA i cannot PING Internal_NetB and vice-versa. I can see the packet in the log of the FW-A ...... Encrypt 172.16.1.2 ----> 192.168.1.2 etc..... (Same applies to FW-B) But at the other end I do not see anything in the log. The only thing i see is ....KEY INSTALL FW-A(Valid Address) ---> FW-B (Valid Address) (Same applies to FW-B) I can however PING the remote Firewalls external IP address and it encrypts and decrypts from both the 172.16.1.0 and 192.168.1.0 networks. I believe it to be a routing issue on the firewalls, i've tried to add a route on FW-A and FW-B.... This is the example of FW-A... route add Internal_NetB FW-B External IP Address this comes out to route add 192.168.1.0 205.150.x.x Is this correct ? If not can someone show me the right way of doing it ? Am i missing something ? I sure hope someone can help me, I'm going crazy !!!!! Thanking you in advance. Blitz __________________________________________________ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|