cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
MattDunn
Nickel

VPN Issue - Wrong IP

Hi,

I have a gateway with several VPN's on.  Some via the Internet, and some routed internally via MPLS lines.  These all work fine.  Now I'm trying to set up a new site-to-site VPN and it isn't working.  

Here's what I'm trying to do:

So my peer IP is a DMZ interface - 12.12.12.178.

I'm VPNing to remote peer IP 192.168.145.10.

On the firewall I'm routing 192.168.145.0/24 via 12.12.12.224.

Firewall-A> show route destination 192.168.145.10
Codes: C - Connected, S - Static, R - RIP, B - BGP (D - Default),
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA),
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,
U - Unreachable, i - Inactive

S 192.168.145.0/24 via 12.12.12.224, eth2.105, cost 0, age 279519

I have an existing VPN set up in the same way via a different DMZ interface and that works fine - although I'm reminded that we had exactly the same problem when setting that up, and I fixed it on my side.  I just can't remember what I did to fix it, hence asking for help!  Smiley Happy

The problem is that the remote side is seeing me coming from the gateway's public "main IP" - shown as A.A.A.A on the diagram.  In Ikeview I see IP's 192.168.145.10 and 12.12.12.178 in packets 1 to 5, then in packet 6 I'm sending my public A.A.A.A IP to the remote peer.  I don't understand why?

On my gateway I've got VPN link selection set as follows, using the routing table, which is correct.

I can't really alter this otherwise existing VPN's will stop working.

Does anyone know what else I need to do to stop P1 Packet 6 sending my A.A.A.A IP instead of the correct 12.12.12.178 IP?

Thanks,

Matt

0 Kudos
3 Replies

Re: VPN Issue - Wrong IP

Hi Matt,

I believe what you are seeing is that your gateway is sending it's Main IP as the Ike ID for the VPN tunnel and the peer not completing the process and essentially the tunnel not forming. 

Do you know what the far end of the tunnel gateway is? I know on cisco ASA they can either turn off some strict checking of the Ike Id against the peer IP,  or they can set the IKE to your main IP but have the peer IP as the IP that you desire. 

For reference. IKE Main Mode negotiation fails with error "invalid id" when Check Point Security Gateway has ISP re...  

Regards

Mark 

MattDunn
Nickel

Re: VPN Issue - Wrong IP

Thanks Mark Mitchell!

I found a similar solution at the same time...  the last paragraph of Pg. 10 of http://dl3.checkpoint.com/paid/e8/How-To-Setup-a-site-to-site-VPN-tunnel-using-external-and-internal... 

The remote side allowed IKE from our public IP too, and the tunnel came straight up Smiley Happy

Cheers,

Matt

Re: VPN Issue - Wrong IP

No worries Matt. Glad you got it sorted.

Regards

Mark

0 Kudos