topic Re: VPN LAN to LAN to 1490 is up but not working in General Topics

VPN LAN to LAN to 1490 is up but not working

Anibal_Onnis — Wed, 13 Mar 2019 13:22:12 GMT

Hello,

I am configuring a L2L between a CP 1490 and a 5000 box. I am pretty sure the problem lies on the 1490, because we have quite a few tunnels on the 5000 that work just fine -and this is my first time with a 1490 so I might be missing something there.

When I check on the 1490, it says the tunnel is up -I can see the same in the 5000. The logs in the 5000 shows the packets get encrypted and sent on its way.

Checking the logs on the 1490 I see the key gets installed, but I also see this:

IKE failure: Child SA exchange: Received notification from peer: Traffic selectors unacceptable

Are any routes needed in the 1490 for the subnets on the other side? Since this is a Policy-based L2L I guess they are not but I am trying to make sure I am not missing anything.

Thanks,

//Anibal

Re: VPN LAN to LAN to 1490 is up but not working

Jerry — Wed, 13 Mar 2019 15:59:48 GMT

EncDom mismatch - check Encryption Domain membership on both ends and make sure you've got a proper cross-routing in place, otherwise you may need to look into this --sk86582--

Re: VPN LAN to LAN to 1490 is up but not working

Jerry — Wed, 13 Mar 2019 16:01:02 GMT

also check this out:

https://community.checkpoint.com/t5/Remote-Access-Solutions/VPN-Routing-Route-all-except-for-Internet-traffic/td-p/22913

Re: VPN LAN to LAN to 1490 is up but not working

Anibal_Onnis — Wed, 13 Mar 2019 18:43:04 GMT

Hello,

the encryption domain in the hub CP is system-wide, and all I've got for this community is the only subnet on the remote side (1490).

On the remote side, I am defining the remote subnets manually, matching two of the subnets in the hub. The local encryption domain includes the only LAN subnet.

I've read the SK you posted about VPN routing -in the hub, I am only routing through the center. Is there such an option in the 1490?

//Anibal