Hello all,
I am having a very bizarre problem and have pulled all my hair out over this and am now seeking the infinite wisdom of the net! the problem is as follows (and i'm afraid that it does get a little complicated!):
i am establishing a VPN with another site. They are pinging a server in our office and i can see the packets in the log coming in via the tunnel and the icmp packet is being decrypted by our firewall and the destination address is being translated to the correct internal IP address. if i snoop the interface of the server i can see the packets hitting the server and a reply being sent back to the firewall. if i snoop the internal interface of the firewall i can see the icmp requests and replies going back and forth to the target server but the reply packets are not going back through the vpn tunnel and are just being sent unencrypted via the internet. The firewall log is also showing that the reply packets for some reason are coming from the external IP address of the server in our office and are then getting translated to the internal IP address (which i don't understand) but a snoop of the external interface of the firewall shows that they are going back over the internet with the correct external IP address!
All of the above is being done using the automatic translation rules. if i setup a second object and do manual translation rules the return packet is not going via the internet (horray!) but they are getting dropped in the firewall at the correct rule number where it is stated that it should encrypt packets and the only error message in the log that i'm getting is as follows:
"icmp-type 0 icmp-code 0 encryption failure: error occured scheme: IKE"
so....2 things i can't understand.
1) why when doing automatic NAT are the return packets not being sent through the VPN tunnel?
2) why are the manually NAT'd packets getting dropped with the above error and what does that error mean?
if anyone can help with this it will be extremely appreciated.
thanks in advance,
tom.
I am having a very bizarre problem and have pulled all my hair out over this and am now seeking the infinite wisdom of the net! the problem is as follows (and i'm afraid that it does get a little complicated!):
i am establishing a VPN with another site. They are pinging a server in our office and i can see the packets in the log coming in via the tunnel and the icmp packet is being decrypted by our firewall and the destination address is being translated to the correct internal IP address. if i snoop the interface of the server i can see the packets hitting the server and a reply being sent back to the firewall. if i snoop the internal interface of the firewall i can see the icmp requests and replies going back and forth to the target server but the reply packets are not going back through the vpn tunnel and are just being sent unencrypted via the internet. The firewall log is also showing that the reply packets for some reason are coming from the external IP address of the server in our office and are then getting translated to the internal IP address (which i don't understand) but a snoop of the external interface of the firewall shows that they are going back over the internet with the correct external IP address!
All of the above is being done using the automatic translation rules. if i setup a second object and do manual translation rules the return packet is not going via the internet (horray!) but they are getting dropped in the firewall at the correct rule number where it is stated that it should encrypt packets and the only error message in the log that i'm getting is as follows:
"icmp-type 0 icmp-code 0 encryption failure: error occured scheme: IKE"
so....2 things i can't understand.
1) why when doing automatic NAT are the return packets not being sent through the VPN tunnel?
2) why are the manually NAT'd packets getting dropped with the above error and what does that error mean?
if anyone can help with this it will be extremely appreciated.
thanks in advance,
tom.
