| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FW-1] VPN between NG-AI and 4.1, Star Topology
Hello folks. I wonder if someone could help us with our VPN setup.
We have a central gateway running 4.1-SP6, and we are bringing up two
new firewalls at a remote site, both running NG-AI. We want to set up
two VPN tunnels, one to each gateway.
In order to do this, we created a VPN Community under AI, and called it
a Star Topology. It looks like this:
test1 ----- central-gw ----- test2
Info:
test1: IP = xx.xx.xx.178 Version NG-AI
test2: IP = xx.xx.xx.179 Version NG-AI
central-gw: IP = yy.yy.yy.241 Version 4.1-SP6
The VPN community has central-gw as the "central gateway" member, and
test1 and test2 as "satellite gateway" members. The IKE and other
parameters are set up to match, and shared secrets also match. The VPN
Community was set up on the NG-AI management station. The 4.1 gateway
is managed by its own station, and an encryption domain was created to
service its end of the tunnel.
This solution is partially working. We are able to ping from central-gw
to test1, but not to test2.
The interesting thing shows up when running tcpdump on central-gw. A
ping from test1 shows some output like this:
16:41:53.666735 I xx.xx.xx.178 > yy.yy.yy.241: ESP(spi=71ad1d54,seq=0x5)
16:41:53.668695 O yy.yy.yy.241 > xx.xx.xx.178: ESP(spi=c522215,seq=0x5)
16:41:54.678638 I xx.xx.xx.178 > yy.yy.yy.241: ESP(spi=71ad1d54,seq=0x6)
16:41:54.686253 O yy.yy.yy.241 > xx.xx.xx.178: ESP(spi=c522215,seq=0x6)
Even though the traffic is encrypted, it clearly shows traffic coming
from test1 and being replied to. Pings from test1 are successful.
A ping from test2, on the other hand, generates this traffic:
16:28:39.164795 I xx.xx.xx.179 > yy.yy.yy.241: ESP(spi=71ad1cd9,seq=0x300)
16:28:39.167279 O yy.yy.yy.241 > xx.xx.xx.178: ESP(spi=c522212,seq=0x2e7)
16:28:40.174782 I xx.xx.xx.179 > yy.yy.yy.241: ESP(spi=71ad1cd9,seq=0x301)
16:28:40.176748 O yy.yy.yy.241 > xx.xx.xx.178: ESP(spi=c522212,seq=0x2e8)
16:28:41.184787 I xx.xx.xx.179 > yy.yy.yy.241: ESP(spi=71ad1cd9,seq=0x302)
16:28:41.186399 O yy.yy.yy.241 > xx.xx.xx.178: ESP(spi=c522212,seq=0x2e9)
The encrypted traffic comes in from test2, but as you can see, the
encrypted reply is sent to test1! Why does this happen? I am not sure
where the 4.1 box determines this routing decision.
I feel that if I were to create two separate VPN communities one for
test1, and another for test2, then this would work. But it seems that
it should work with just one community.
Can anyone shed some light on this problem? Thanks.
--
David DeSimone || "It took me fifteen years to discover that I had no
Network Admin || talent for writing, but I couldn't give it up because
[email protected] || by that time I was too famous. -- Robert Benchley
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
