[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [FW1] VPN and NAT
You're receiving the error msg "Gateway connected to both endpoints" because
you have a two way vpn defined using one rule. If you separate it into two
rules that error msg should go away. The VPN is probably not working
because you need to create a manual address translation rule to keep the
packets destined for the other side of the VPN from being translated. NAT
breaks VPNs....
Manual Rule:
Original Packet Translated Packet
Local_Net Remote_Net Any Original Original Original
-Warren.
-----Original Message-----
From: Jeff Blada [mailto:[email protected]]
Sent: Monday, April 23, 2001 4:51 PM
To: '[email protected]'
Subject: [FW1] VPN and NAT
Hello,
I am having a problem setting up a LAN-to-LAN VPN using SKIP, both firewalls
are v4.1, running on NT 4.0 sp6. Both firewalls are using automatic hide
NAT. After configuring the VPN, I am unable to ping or connect to resources
from internal to internal network, and I do not see any encryption occuring
in the log. I do get the following error "Encryption failure: gateway
connected to both endpoints scheme: SKIP". NAT to the internet is
functioning properly at both sites. I am able to successfully generate and
pull the encryption keys.
Here is the configuration:
netA --- (le0) firewallA (le1) -- internet --- (le0) firewallB (le1) --
netB
netA is private: 192.168.0.0
le0: is 192.168.0.1
le1: is 209.219.110.130
netA objects:
netAfw - local firewall object
netBfw - remote fireall object
netA-net - local network object
network: 192.168.0.0
netB-net - remote network object
network: 192.168.1.0
encryption rule on firewallA:
netA-net netB-net any encrypt long gateway all
netB-net netA-net any encrypt long gateway all
netB is private: 192.168.1.0
le0: 192.168.1.1
le1: 24.9.197.124
netB objects:
netBfw - local firewall object
netAfw - remote firewall object
netB-net - local network object
netA-net - remote firewall object
encryption rule on firewallB:
netB-net netA-net any encrypt long gateway all
netA-net netB-net any encrypt long gateway all
on firewallA: address translation
automatic hide: 192.168.0.0 -> 209.219.110.130
on firewallB: address translation
automatic hide: 192.168.1.0 -> 24.9.197.124
Am I missing something? What should my encryption domains contain to account
for the NAT? Do I need any other rules?
Thanks for any help!
Jeff Blada, MCSE, CCA, CCNA
Senior Network Technician
Agility Computer Network Services, L.L.C.============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================