Hi There,
I have set up a different NAT IP now but with the server configuration wizard which should create the automatic arp entries, the fw ctl arp shows:
[Expert@GW2]# fw ctl arp
.....
(192.168.232.70) at 00-xx-xx-xx-xx-xx interface 192.168.232.253
Which is the mac address of the checkpoint on that local lan, as expected
The following command from server A contacting the NAT 192.168.232.70 eventually times out
# ssh -p 80 -v 192.168.232.70
tcpdump generated on the checkpoint from the command above :
18:45:08.227136 ARP, Request who-has 192.168.232.70 tell ulive, length 46
18:45:08.227182 ARP, Reply 192.168.232.70 is-at 00:xx:xx:xx:xx:xx (oui Unknown), length 46
18:45:41.670006 ARP, Request who-has 192.168.232.70 tell my.firewall, length 28
18:45:44.752975 ARP, Request who-has 192.168.232.70 tell ulive, length 46
18:45:44.753029 ARP, Reply 192.168.232.70 is-at 00:xx:xx:xx:xx:xx (oui Unknown), length 46
18:46:13.681121 IP ulive.37472 > 192.168.232.70.www: Flags [S], seq 2802536161, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
18:46:13.683147 ARP, Request who-has 192.168.232.70 tell my.firewall, length 28
18:46:14.694007 ARP, Request who-has 192.168.232.70 tell my.firewall, length 28
18:46:15.722018 ARP, Request who-has 192.168.232.70 tell my.firewall, length 28
18:46:18.801058 ARP, Request who-has 192.168.232.70 tell ulive, length 46
18:46:18.801109 ARP, Reply 192.168.232.70 is-at 00:xx:xx:xx:xx:xx:xx (oui Unknown), length 46
18:46:22.962116 ARP, Request who-has 192.168.232.70 tell 192.168.232.70, length 28
18:47:31.530069 ARP, Request who-has 192.168.232.70 tell 192.168.232.70, length 28
No traffic emerges at the other end of the IPSEC tunnel.
I will open a ticket as suggested but I am still very interested to hear from others who may have successfully set this up.
Thanks for your time
Regards
Dek