VPN Probleme ! Encryption Failure

[lancelote]

Hello,

I've got 2 module firewall-1 VPN-1 install on 2 Nokia IP120.
I've the management server on the local interface on one Nokia.
I've got a rule that make static NAT with a virtual adress to the mangement server. The external interface of the Nokia is the IP of 212.81.126.2 and my static NAT is 212.81.126.4. Think it's work fine so i can put policy on the 2 Nokia easily.
Now I make a VPN communites. And i can't communicate inside the VPN and the 2 Nokia each other. There are different error in the SmartTracker, see :
encryption failiure :no reponse from peer

And something else arrive is that i cant ping anymore the remote Nokia by the local Nokia. And the error is :
encryption failure : the packet is dropped as there is no valid SA

Can you help me plz ? i must deploie really soon......


LaNceLoT

 

[lancelote]

an other error message is when i try to ping the remote Nokia from the management server the error is :
encryption failure : cannot calculate IKE ranges

any idea is welcome !


LaNceLoT

 

[ChrisAC]

What steps have you taken to set up the VPN between the two Nokia's? What VPN properties have you defined?

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[lancelote]

For the VPN communites i have got this configuration :
IKE 3DES/MD5
IPSEC 3DES/MD5
I use IPSEC in perfect forward secrecy
I ve disable and enable the NAT inside the VPN communites

In each gateway i support use of pre-shared Secret and public key
Support NAT traversal mechanism with port:
VPN1_IPSEC_encapsulation

In GlobalProperties i support authentification :
Pre-Shared Secret and public key
I've try with IKE support over TCP


Hope it can help to find....



LaNceLoT

 

[ChrisAC]

Is the encryption domain correctly configured for each firewall module object? Is VPN-1 Pro selected and correctly licenced in each of the modules? Does SmartView Status show any problems with either of the modules?

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[lancelote]

i ve something more. I active the debug of the VPN on the Nokia like this : vpn debug on and vpn debug IKE on.
And i ve got the next message on the hyperterminal :
community_logid_from_community_id: unable to find entry in communites_names

.....my bad.... my boss put me pressure .... arghhhhh


LaNceLoT

 

[lancelote]

The domain of each gateway in the VPN are define as the local network of each one. Manually define as network 10.0.0.0/24 for the local Nokia and 10.0.1.0/24 for the remote Nokia.

I've got a probleme from the beginnig with the licences cause my reseller make mistake so we don't have for now permanent licence and we must work with evaluation licences (i ask myself the question of the licences and the 15 day of full work for Checkpoint Product)

And the Smatstatus Display no error, they got all the point OK

I've seen that the licence authorize the encryption perhaps the module need permanent licence but checkpoint say that the evaluation licence got full access but not for more than 1 month......


LaNceLoT