Checkpoint NG VPN

[tester125]

Hi, I recently setup a VPN tunnel that works great without Nating. The problem is I need to NAT for another client, being that we have the same network number. The VPN tunnel
connects fine, but when the client from the other end trys to connect from his workstation I keep getting an error in the tracker that reads "encryption failure: Different community ID, possible NAT problem"
Without the NAT it works great on a test system that I Implicated. In my rule-base I have static nat for the workstation that the client is trying to connect to.
I am testing this on a LINKsys BEFSX41 Router to Checkpoint NG FP3
Have anyone run into this problem, thanks in advance for any input.

 

[kaiserkuo]

I have same problem in CP 4.1 , NG FP2 .

 

[rn4it]

To establish a VPN tunnel between to gateways, they need to be real IP's, if you attempt to NAT one of the gateway addresses, you will have problems

 

[tester125]

Thanks for the input rn4it, but am not nating the gateway. I'am nating a client behind the gateway.

 

[dodgeydave]

Check your encrpytion domains at both ends. I had a similar problem (without using any NAT however), where I had the network used at one end defined in the encryption domain for both gateways (topology->VPN Domain).

 

[Birmingham]

Do let us know how you get on in this. I do find it frustrating how checkpoint leave us to stuggle in sorting these things out. Anyway enough of that.

Are you using simplified or traditional policy?

If you are using simplified try editing vpn_route.conf and adding an entry for the natted ip address and sending it to the next hop gateway.

Like i said, let us know how you get on!

Thanks