Checkpoint ISP Redun. + VPN

[hostingrfx]

Hey guys, I got the Checkpoint fw to work with a fail over dsl line i have. works great and its pretty quick in response time. The only thing NOT working is the vpn portion of the failover. the vpn stops working. any clues as to why?

Versions im using are
R61 HotFix 1

and im using Checkpoint firewalls with the same version all over.

I tried renewing the ips for my checkpoint to include both ips. but it still doesnt work =|

 

[Birmingham]

not sure about your set up. presumably you have a normal internet link ( eg T1 ) and failing over onto dsl line. Presumable you have location A with 1 being the normal link and 2 being the dsl link. Then location B

You probably should verify the following

1. there is no firewalling on the dsl router at A2

2. When failover happens, what ip addresses can you see in location B trying to set up a tunnel.

3. If you see no traffic at location B then is there any firewalling on the router at location B stopping the traffic from A2.

4. Verify your NAT rules. If I recall its best to stick with automatic nat rules at locaton A.....and in the rulebase at location B you obviously need the DSL ip address A2 defined in the object for the firewall at location A.
Thanks
Birmingham.

 

[hostingrfx]

Im not sure i get it, but there def. no firewall as i checked with the dsl provider b/c they manage the router. they turned it off. i failed it over from T1 -> Dsl and still nothing =\. internet is ok, but no vpn. i also am trying to use the tracker and the dsl ip, and nothing.

 

[hostingrfx]

I might have stumbled upon Something

Vpn -> Link Selection -> all these settings are greyed out. How come? Is this where i would configure the vpn are to check if the line is down etc?

 

[hostingrfx]

And yet another find. i unchecked the

Topology -> ISP Redun and unchecked / VPN "Apply Settings to VPN Traffic" which this is what it said in the manual. ONce unchecvked, the greyed out stuff wasnt greyed out anymore. is this the right step?

 

[hostingrfx]

no1?

 

[Birmingham]

Id like to help but its a bit complex

You need to set up a test environment and play around with the settings.

When i check / uncheck "Apply Settings to VPN Traffic" things do not get greyed out.

You also need to check your encryption settings. What you could try doing is replace your normal vpn with the vpn you should have during failover. So forget about ISP redundancy for a moment. Configure the dsl vpn as the primary vpn and remove all the config for the normal vpn.

If you cannot configure the dsl vpn without isp redundancy it will never work with...if you know what I mean.

 

[hostingrfx]

YES! =) let me try that

 

[hostingrfx]

well heres the other thing, i cant take the vpn off the prim. b/c people use it 24/7. =\

when setting up the ISP redun, + vpn fail over. is the vpn fail over done via the vpn rules or the isp redun?

 

[Birmingham]

both, so isp redundancy fails over the vpn as configured by the tick box and then the vpn community settings take over.

You need to go through and check my previous suggestions one by one eg, routing, firewalling ( not just on the firewall but dsl routers at your location and the other location ), vpn community settings etc etc. Check the logs and you should be able to troubleshoot.

 

[hostingrfx]

Lets say the ISP for the dsl are so dumb that they cant figure this out, and they wont let me get access to the router. 1) if i connect a pc straight into it, how can i tell if its firewalling or stopping something that the vpn1 fw would do?

2) which logs should i be looking out for? im in the Tracker and cant find any errors or anything dropped.

Is there anyway you could help me over the phone just for a min?

 

[Birmingham]

Sorry I dont do telephone support.

I cant realy continue this post but all the information is in the post for you to solve the problem.

First thing is you need to look in logs for local and remote firewall. Presumably remote firewall is managed by same management staton which makes everything a lot easier.

Second, try a ping or tracert from laptop connected to dsl router to remote firewall or its isp router. Depending on the configuration you might get a reply or at least see something dropped in the firewall logs. If you dont get a reply or see logs the firewall will never set up a vpn.

Third, a slight modification of what I said earlier, how about creating a separate vpn from your site to the remote site but instead of sending all the traffic over it as I said last time how configuring the encryption domain with a test network.

Finally, read the white paper available from the checkpoint site and the readme stuff on the smartdashboard. I think the isp redundancy stuff might be in the smartdefence white paper. Not sure.

Thats it.

Thanks.

 

[hostingrfx]

your right. but i cant take off something thats already working on one end. =\


im getting this error so far

Source Port: RDP
Information: encryption failure: Clear text packet should be encrypted
Encryption Methods: ESP: AES-128 + MD5
Encryption Scheme: IKE
Subproduct: VPN
VPN Feature: VPN

but i really dont think this is the prob. i can go in via a laptop and ssl vpn into the dsl line just fine and ping everything. i also choose to do route based probing and nothing =\..