- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: VPN with Two GWs Managed by One SMS - One GW i...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN with Two GWs Managed by One SMS - One GW is in AWS
I'm in the process of trying to setup an IPSec VPN between two Security Gateways that are managed by a single Security Management Server. The catch is that one of the Security Gateways is in AWS. The current error I am getting is the following:
Auth exchange: Received notification from peer: Authentication failed MyAuthMethod: Certificates
The interesting part is, I have it setup to only use PSKs in the community. I have also went into the Security Gateway Properties --> IPSec VPN --> Traditional mode configuration --> unchecked Public Key Signatures and checked Pre-Shared Secrets. I also specified the PSKs in the "Edit Secrets" menu.
Gateway STLFW01 is R81 with no JHF (I plan to fix this soon)
Gateway ParisFW01 is R80.30 with JHF 236. (This is the AWS Security Gateway)
Since the Paris Security Gateway is in AWS, I have also configured route tables as follows:
- Traffic going to the private networks is to go to the security gateway. This is only associated with the AWS internet gateway.
- Traffic going from the private networks going from the protected network (behind the security gateway) is to be directed to the Security Gateway. This is only associated with the protected network subnet.
- Traffic from the security gateway going to 0.0.0.0/0 is to go to the internet gateway. This is only associated with the network between the security gateway and the AWS internet gateway (we are calling this the public DMZ)
One item that is strange with AWS is that since the Check Point firewall can't have a leg on the internet, I have to choose the link address for the IPSec VPN to manually be the actual public IP. If I choose the private IP and expect the AWS Internet Gateway to NAT it, the traffic from STLFW01 will timeout completely.
- Labels:
-
NAT
-
Open Server
-
Site to Site VPN
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I figured out this issue, but I am now at another issue, which I may put out a new post about. This was my first time having an SMS manage a gateway that is not on the same local network. I had to go to the SMS properties, go to the NAT tab, check the box to "Apply for Security Gateway control connections," and select the "Install on Gateway" relevant security gateway.
My new issue that will not be the topic of this post is that the VPN gateways are complaining about "Quick Mode Sent Notification: invalid key information."
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I figured out this issue, but I am now at another issue, which I may put out a new post about. This was my first time having an SMS manage a gateway that is not on the same local network. I had to go to the SMS properties, go to the NAT tab, check the box to "Apply for Security Gateway control connections," and select the "Install on Gateway" relevant security gateway.
My new issue that will not be the topic of this post is that the VPN gateways are complaining about "Quick Mode Sent Notification: invalid key information."