Site to Site VPN not working

[vallan]

We are trying to set up a VPN between 2 sites. We have set up on one rule

local fw <...> remote fw <...> IKE
remote fw <...> local fw <...> IKE

remote network <...> local network <...> encrypt

FW are configured as 3DES<>SHA1 (Group2)<>Pre Shared Secret
encrypt is configured as SHA1, Group 2.

The remote FW is in cluster so for now we have created 3 externally managed FW to accommodate all 3 physical and virtual addresses.

We have a router with access list and on it we have the following rules

access-list ??? permit esp host <remote fw > host <local fw>
access-list ??? permit esp host <local fw> host <remote fw >
access-list ??? permit udp host <remote fw >eq isakmp host <local fw> eq isakmp
access-list ??? permit udp host <local fw> eq isakmp host <remote fw >eq isakmp FOR ALL 3 REMOTE IP ADDRESSES and
applied this to the serial line

and

access-list /// permit ip host local fw host remote fw

But it still not working.

We are not even getting a decrypt/encrypt talk less of connecting behind the FW. Please can anyone se what the solution is?

Thanks

 

[rn4it]

Do you see a Key exchange between the 2 sites? Also, is the other FW cluster also doing 3DES SHA1? Just out of curiousity, why are you using a router to protect the FW. You should have a stealth rule on the FW to stop unwanted traffic. Confirm that the router isn't stoping traffic.

 

[vallan]

No, I also removed the access list to test the connection, no, the router is not blocking traffic.

Doing a show access-list saw traffic on

access-list ??? permit udp host <local fw> eq isakmp host <remote fw >eq isakmp increasing but not on

access-list ??? permit esp host <remote fw > host <local fw>

yes, the other side are using the same SHA1. We do have a stealth rule as well

Any other idea

Thanks

 

[rn4it]

Check the log files on the FW's to see if they are being dropped so where in the rulebase. Are you allowing people to access your FW with IPSEC? If you aren't seeing any traffic at all, then I would just double check your gateway's IP addresses. Also I would open icmp between the 2 FW's specifally then see if I can being one another. It's either a misconfig or your ISP is block IPSEC. Can you see and IPSEC coming to or going to the router? Basically, If your FW's aren't seeing any keyexchanges, then you want to confirm that they are getting to the FW.

 

[Birmingham]

Quite a lengthy problem this so apologies if i missed something has said.

I would try and simplify the problem so if it doesnt work with no access list on the router its not going to work with one. So suggest until you get vpn working you test it with the router with no access list.

Next, I suggest you find a way of testing a standalone to standalone checkpoint vpn - just to prove that works.

Next, if you configuring a standalone to cluster vpn on your firewall you should have an externally managed gateway created for the external cluster vpn. Depending on the version of checkpoint and ipso there are different ways of configuring but if you dont know try having all the physical and vrrp ip addresses in the clusters topology settings.

Finally once you have it working wait for the next version of checkpoint and / or ipso to stop it working and make you reconfigure it again.

Good luck.