[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] VPN between NG-AI and 4.1, Star Topology
Hello folks. I wonder if someone could help us with our VPN setup. We have a central gateway running 4.1-SP6, and we are bringing up two new firewalls at a remote site, both running NG-AI. We want to set up two VPN tunnels, one to each gateway. In order to do this, we created a VPN Community under AI, and called it a Star Topology. It looks like this: test1 ----- central-gw ----- test2 Info: test1: IP = xx.xx.xx.178 Version NG-AI test2: IP = xx.xx.xx.179 Version NG-AI central-gw: IP = yy.yy.yy.241 Version 4.1-SP6 The VPN community has central-gw as the "central gateway" member, and test1 and test2 as "satellite gateway" members. The IKE and other parameters are set up to match, and shared secrets also match. The VPN Community was set up on the NG-AI management station. The 4.1 gateway is managed by its own station, and an encryption domain was created to service its end of the tunnel. This solution is partially working. We are able to ping from central-gw to test1, but not to test2. The interesting thing shows up when running tcpdump on central-gw. A ping from test1 shows some output like this: 16:41:53.666735 I xx.xx.xx.178 > yy.yy.yy.241: ESP(spi=71ad1d54,seq=0x5) 16:41:53.668695 O yy.yy.yy.241 > xx.xx.xx.178: ESP(spi=c522215,seq=0x5) 16:41:54.678638 I xx.xx.xx.178 > yy.yy.yy.241: ESP(spi=71ad1d54,seq=0x6) 16:41:54.686253 O yy.yy.yy.241 > xx.xx.xx.178: ESP(spi=c522215,seq=0x6) Even though the traffic is encrypted, it clearly shows traffic coming from test1 and being replied to. Pings from test1 are successful. A ping from test2, on the other hand, generates this traffic: 16:28:39.164795 I xx.xx.xx.179 > yy.yy.yy.241: ESP(spi=71ad1cd9,seq=0x300) 16:28:39.167279 O yy.yy.yy.241 > xx.xx.xx.178: ESP(spi=c522212,seq=0x2e7) 16:28:40.174782 I xx.xx.xx.179 > yy.yy.yy.241: ESP(spi=71ad1cd9,seq=0x301) 16:28:40.176748 O yy.yy.yy.241 > xx.xx.xx.178: ESP(spi=c522212,seq=0x2e8) 16:28:41.184787 I xx.xx.xx.179 > yy.yy.yy.241: ESP(spi=71ad1cd9,seq=0x302) 16:28:41.186399 O yy.yy.yy.241 > xx.xx.xx.178: ESP(spi=c522212,seq=0x2e9) The encrypted traffic comes in from test2, but as you can see, the encrypted reply is sent to test1! Why does this happen? I am not sure where the 4.1 box determines this routing decision. I feel that if I were to create two separate VPN communities one for test1, and another for test2, then this would work. But it seems that it should work with just one community. Can anyone shed some light on this problem? Thanks. -- David DeSimone || "It took me fifteen years to discover that I had no Network Admin || talent for writing, but I couldn't give it up because [email protected] || by that time I was too famous. -- Robert Benchley ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|