I am replacing some aging Checkpoint R71 appliances with 1590 appliances and am testing a very simple IPSEC VPN Site to Site VPN from a linux based StrongSwan user.
According to VPN Tunnels link and tcpdump, the VPN appears established with ESP sequence numbers increasing when I ping from the remote site inbound to the Checkpoint 1590. The traffic however does not leave the Chckpoint 1590 internal interface to the destination host and I cannot figure out why.
The log on the checkpoint shows:
and:
fw ctl zdebug + all |grep -A 1 "Monitor" | grep "192.168"
WAN:i0 (tcpt inbound)[60]:192.168.236.100 -> 10.110.116.20 (TCP) len=60 id=53997;
WAN:i1 (vpn multik forward in)[60]:192.168.236.100 -> 10.110.116.20 (TCP) len=60 id=53997;
WAN:i2 (vpn decrypt)[60]:192.168.236.100 -> 10.110.116.20 (TCP) len=60 id=53997;
WAN:i3 (l2tp inbound)[60]:192.168.236.100 -> 10.110.116.20 (TCP) len=60 id=53997;
WAN:i4 (Stateless verifications (in))[60]:192.168.236.100 -> 10.110.116.20 (TCP) len=60 id=53997;
WAN:i5 (fw multik misc proto forwarding)[60]:192.168.236.100 -> 10.110.116.20 (TCP) len=60 id=53997;
WAN:i6 (fw early SIP NAT)[60]:192.168.236.100 -> 10.110.116.20 (TCP) len=60 id=53997;
WAN:i7 (vpn tagging inbound)[60]:192.168.236.100 -> 10.110.116.20 (TCP) len=60 id=53997;
WAN:i8 (vpn decrypt verify)[60]:192.168.236.100 -> 10.110.116.20 (TCP) len=60 id=53997;
WAN:i9 (fw VM inbound )[60]:192.168.236.100 -> 10.110.116.20 (TCP) len=60 id=53997;
WAN:I10 (vpn policy inbound)[60]:192.168.236.100 -> 10.110.116.20 (TCP) len=60 id=53997;
WAN:I11 (vpn before offload)[60]:192.168.236.100 -> 10.110.116.20 (TCP) len=60 id=53997;
WAN:I12 (fw offload inbound)[60]:192.168.236.100 -> 10.110.116.20 (TCP) len=60 id=53997;
I am really after ideas on how I can further debug this issue please, I have an access rule which allows 192.168.236.100 any TCP port to 10.110.116.20
Anyhelp hints or pointers would be greatly appreciated
Regards
Dek