Hey everyone. Need some help with a site to site VPN im trying to build.
Ill try to provide as many details as possible, please let me know if im missing something and any pointers would be greatly appreciated.
Site to Site VPN with a (Local) Netscreen ISG 2000 and (Remote) Checkpoint firewall
Policy Based.
1st of all id like to confirm if this could be abug from the checkpoint's side, remote admin set hash for Phase 1 at SHA 256 and we were receiving AES_XCBC! As soon as they changed the hash to SHA1 Phase 1 came up. Weird, solved though with Sha1 so just cehcking what would have caused that.
Now with the real issue,
---All IPs and naming are fictional----
Local Peer IP - 1.1.1.1
Remote Peer Ip - 2.2.2.3/32 (Remote side has a cluster with 2 checkpoint fws 2.2.2.1/32 and 2.2.2.2/32 with VIP ip 2.2.2.3/32)
Remote site's encryption domain (192.168.10.0/24 nated to 2.2.2.3 since we do not accept private domains and since they only will be initiating traffic should be ok right?)
Local site's encryption domain (172.10.10.11/32)
Policy created is
Untrust Zone (2.2.2.3/32) -> trust zone (172.10.10.11/32)
The following is an excerpt from the fws event log. Notice 2.2.2.2. Shouldnt that be 2.2.2.3? Or in that case the local id should be the private domain 172.10.10.11/32 ?
2014-09-30 08:53:02 |
info |
IKE 2.2.2.3 Phase 2: No policy exists for the proxy ID received: local ID (1.1.1.1/255.255.255.255, 0, 0) remote ID (2.2.2.2/255.255.255.254, 0, 0). |
2014-09-30 08:53:02 |
info |
IKE 2.2.2.3 Phase 2 msg ID 27f570c8: Responded to the peer's first message. |
2014-09-30 08:52:58 |
info |
IKE 2.2.2.3 Phase 2 msg ID 27f570c8: Negotiations have failed. |
|
According to the Ike events we changed the policy to
Untrust Zone (2.2.2.2/31) -> trust zone (172.10.10.11/32) with no result.
Remote admin notified me that they could open a telnet to a specific port on our local server 172.10.10.11/32 and sa was showing A/- for a minute or so. It then went to I/I.
I could also provide detailed IKE debug. JHust let me know if its needed.
Thanks in advance.