Site VPN failed between Checkpoint AI R55 gateways

Hi,
My problem has been resolved by doing the following.

1) Install a NAT rule on the Remote module
* Original Source: Remote module
* Original Destination: INTERNAL IP address of the mgmt server
* Original Service: ANY
* Translated Source: original
* Translated Destination: EXTERNAL IP address of the mgmt server
* Transalted servcie: original

2) Disable client side NATting for manual NAT rules
Policy - Global properties - NAT - Uncheck 'Translate destination on client side'

(Richard H Miller) wrote in message <>...

1. VPN comuunity rule allows from any and all service. Installed both
firewalls
2. I do not have export option since both firewalls are internally
managed
3. My first rule allows any service from remote firewall to management
server

My setup is like this,
Local Firewall
Nokia IP 350 - Enforcement Module (IPSO 3.7.1) (CP AI - R55 with
HFA-2)
Int interface - 10.65.16.1
DMZ interface - 10.65.8.98
Ext interface - 209.20.128.60.198

Local Managment server
Windows 2000 sp4 - Smart center (CP AI - R55 with HFA-2)
IP address - 10.65.16.19 (Enabled static nat with ip address -
209.20.128.199) (Also enabled the control connection)

Remote firewall
Nokia IP 130 - Enforcement Module (IPSO 3.7.1) (CP AI - R55 with
HFA-2)
Int interface - 10.86.16.1
DMZ interface - 10.86.6.2
Ext interface - 211.158.158.220

First rule allows remote firewall to access management server (Service
- ANY)
also VPN community rule for site to site vpn (service - ANY)
Remote gateway & local gateway is the member of community.
Mangement server is also a Certificate authority. (Default)

I can do SIC and push policies to remote firewall. But when I try to
ping remote internal ip address, It is trying to establish the tunnel.
But error msg shows ( IKE phase 1 - recieved notification from
peer.invalid certificate) Even i am not receiving log from remote
firewall.
Both firewalls hosts file has the name and public IP address of
firewall and management server. So no problem with name resolution.
Date & time is correct in firewalls and management server.

turn on VPN debug at the command prompt("VPN debug on")... then read
your logs.


<>...

before any encryption rules
remote box and setup the appropriate
vpn define as a cert]. Is there a
with the management server

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (#).
Version: 6.0.650 / Virus Database: 416 - Release Date: 4/4/2004

: No problem with SIC, In fact i can push the policies without any problem.

: > SIC? has it been established between the FW and Nokia?
: >
: >
: >
: > > Hi All,
: > >
: > > We are configuring new firewall in our local and remote office.
: > > Check point AI R55 with HFA-02
: > > Nokia IPSO 3.7.1
: > > Windows 2000 SP4
: > >
: > > Local vpn-1 pro enforcement module - Nokia IP 350
: > > Local checkpoint express smart center server - Windows 2000
: > > (Statically NATed and enabled control connection located in LAN)
: > >
: > > Remote vpn-1 pro enforcement module - Nokia IP 130
: > >
: > > We can push the policies no problem. But we are not getting log from
: > > remote module.
: > > Site vpn also failed even the time sync is correct.
: > > We have the following error in local log file - IKE: phase 1 received
: > > notification from peer, invalid certificate.
: > > Remote firewall module log shows the following error message.
: > > IKE : Main mode validation timed out.

Ok

1) Did you define a rule in both modules policy to allow IKE. This will be before any encryption rules
and allows the two module to exchange key information

2) Did you export your CA information and install a certificate on the remote box and setup the appropriate
trust for the cert's [From the error message it looks like you have the vpn define as a cert]. Is there a
reson to use this instead of shared secret?

3) Have you setup a rule to allow the enforcement module to completly talk with the management server

Richard H. Miller, MCSE, CCSE+
Information Security Manager
Information Technology Security and Compliance
Information Technology - Baylor College of Medicine

If you are using pre-shared secret; try this suggested solution.

Re-enter the preshared secrets for the firewall objects involved in VPN.
This clearly applies only when pre-shared secrets are being used and may not
always be the solution to the problem

...
<>...

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (#).
Version: 6.0.650 / Virus Database: 416 - Release Date: 4/4/2004

No problem with SIC, In fact i can push the policies without any problem.

SIC? has it been established between the FW and Nokia?

...

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (#).
Version: 6.0.648 / Virus Database: 415 - Release Date: 3/31/2004