- CheckMates
- :
- Products
- :
- General Topics
- :
- Checkpoint 5400 IPSec VPN problem
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Checkpoint 5400 IPSec VPN problem
I am new to checkpoint and tried to setup a VPN with remote site with another brand of firewall.
Site A (Local): Checkpoint 5400
Subnet: 10.7.3.0/24
Site B (Remote): Sonicewall NSA 5600
Subnet: 10.29.0.0/22, 192.168.12.0/12
VPN established and i saw 2 tunnels in both firewalls
Subnet: 10.7.3.0 and 10.29.0.0 are ok. ping, access servers of both sizes are ok
but subnet: 10.7.3.0 and 192.168.12.0 not ok. tracert also shows the traffic not going thou. the vpn.
Checked policy are ok.
What am i missing to make it work ? Any help or additional config. information needed is welcome.
THX
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would start by checking / fixing the subnet for the 192.168.12.0 network as it doesn't appear correct
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
192.168.12.0/12 ?
Network: 192.160.0.0/12 11000000.1010 0000.00000000.00000000 (Class C)
Broadcast: 192.175.255.255 11000000.1010 1111.11111111.11111111
HostMin: 192.160.0.1 11000000.1010 0000.00000000.00000001
HostMax: 192.175.255.254
This mixes up private and public networks. Please check first that you haven't done any typing mistakes.
Afterwards check what SmartLog is showing.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have a (local) route to 192.168.12.0 in your interior that directs that traffic to the Checkpoint? If not, that could be the problem. One way to do this is to put a static route on the Checkpoint saying that 192.168 is via the external interface, then redistribute this into OSPF or whatever IGP you use internally.
