[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] VPN and NAT

To: "'Jeff Blada'" <[email protected]>, "'[email protected]'" <[email protected]>
Subject: RE: [FW1] VPN and NAT
From: Warren Barrow <[email protected]>
Date: Tue, 24 Apr 2001 15:22:27 -0400
Sender: [email protected]


You're receiving the error msg "Gateway connected to both endpoints" because
you have a two way vpn defined using one rule.  If you separate it into two
rules that error msg should go away.  The VPN is probably not working
because you need to create a manual address translation rule to keep the
packets destined for the other side of the VPN from being translated.  NAT
breaks VPNs....

Manual Rule:
	Original Packet		Translated Packet
Local_Net Remote_Net Any 	Original Original Original

-Warren.

-----Original Message-----
From: Jeff Blada [mailto:[email protected]] 
Sent: Monday, April 23, 2001 4:51 PM
To: '[email protected]'
Subject: [FW1] VPN and NAT


Hello,

I am having a problem setting up a LAN-to-LAN VPN using SKIP, both firewalls
are v4.1, running on NT 4.0 sp6. Both firewalls are using automatic hide
NAT. After configuring the VPN, I am unable to ping or connect to resources
from internal to internal network, and I do not see any encryption occuring
in the log. I do get the following error "Encryption failure: gateway
connected to both endpoints scheme: SKIP". NAT to the internet is
functioning properly at both sites. I am able to successfully generate and
pull the encryption keys. 

Here is the configuration:

netA --- (le0) firewallA (le1) -- internet --- (le0) firewallB (le1) --
netB
        
        netA is private: 192.168.0.0
        le0: is 192.168.0.1
        le1: is 209.219.110.130
        
        netA objects:
        netAfw - local firewall object
        netBfw - remote fireall object
        netA-net - local network object
        	network: 192.168.0.0
        netB-net - remote network object
            network: 192.168.1.0

        encryption rule on firewallA:
        netA-net    netB-net    any    encrypt    long    gateway    all
        netB-net    netA-net    any	  encrypt    long    gateway    all

        netB is private: 192.168.1.0
        le0: 192.168.1.1
        le1: 24.9.197.124
        
        netB objects:
        netBfw - local firewall object
        netAfw - remote firewall object
        netB-net - local network object
        netA-net - remote firewall object

        encryption rule on firewallB:
        netB-net    netA-net    any    encrypt    long    gateway    all
        netA-net    netB-net    any    encrypt    long    gateway    all


on firewallA: address translation 
automatic hide: 192.168.0.0 -> 209.219.110.130

on firewallB: address translation
automatic hide: 192.168.1.0 -> 24.9.197.124

Am I missing something? What should my encryption domains contain to account
for the NAT? Do I need any other rules?

Thanks for any help!


Jeff Blada, MCSE, CCA, CCNA
Senior Network Technician
Agility Computer Network Services, L.L.C.============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] Redirection
Next by Date: RE: [FW1] Lots of static routes in IPSO
Prev by thread: [FW1] Redirection
Next by thread: [FW1] VPN and NAT
Index(es):
- Date
- Thread