I have recently encountered a somewhat annoying behavior on an IPSec VPN tunnel between a 3100 appliance running Gaia R80.30 and a Zyxel USG 60
Topology is somewhat simple: Checkpoint with internal LAN behind it, attempting communication through IPSec VPN with a NAT-ed LAN behing a Zyxel USG at customer side (the NAT comes due to address restrictions in my Checkpoint environment).
LAN3 cannot be migrated to LAN2 range due to limited onsite resources. Checkpoint doesn't know anything of LAN3 range (and shouldn't, as that is what the customer is NATing to on their side).
Here comes the fun part:
- LAN3 hosts accessing LAN1 servers works fine for permitted services.
- LAN1 hosts accessing LAN2 IP addresses (which are NATed to LAN3 range) are rejected with IKE Failure - "encryption failure: Error occurred" message
NAT definitions and access policies on USG have been checked, rechecked, defined and redefined - what am I missing?
I'm running IKEv1 and the higher encryption - tried lowering it as well but without success (shouldn't be the one causing this anyway)
I'll take any suggestions I can get, I'm running out of ideas on my own 🙂