Thank you Robert, I tried what you suggested using an externally managed
object in a site to site. I was able to connect to the R55 box from the Edge
appliance, but the reverse connection reported the following error:
"Encryption fail reason: Cannot identify peer for encrypted connection
(VPN Error code 02)"
In a test to connect from the R55 to the Edge, I need to remove the external
object from the VPN community or the same error occurs.
If you have a document on this and are willing to share your experiences I
would be very grateful!!
So far I have only been able to create one-way tunnels. I wonder if the R55
box is not configured correctly, cause the Edge appliances don't have much
to them for options. And many others are able to connect. The R55 object
does not use auto NAT, and each server behind the box is a node-object with
static-nat settings. The node-objects are given a NAT ip address, then in
the NAT section given the static IP using method "static". Maybe that's the
problem?
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Robert
Plaenk
Sent: Monday, July 19, 2004 6:25 AM
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] R55 / Edge - Site to Site
If all you're doing is site-to-site, you can do it just like any other VPN.
Create an extenally managed Check Point object and use either certificate or
pre-shared key. Then it's easy. If you decide you want central management, I
have a doc that describes the step-by-step process. And it works.
I've done it both ways and works without a problem.
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Darren
Martz
Sent: Saturday, July 17, 2004 2:55 AM
To: [EMAIL PROTECTED]
Subject: [FW-1] R55 / Edge - Site to Site
What is the best way to setup a site to site tunnel between an NG AI R55 box
and an Edge X appliance?
Some key points about the R55 box:
- Running on SecurePlatform
- Head office
- Static NAT configuration (10.1.1.x)
- All public addresses are static
- version R55 HFA 04
Some key points about the Edge appliance:
- Self managed (not managed by the R55 box)
- Remote office
- NAT configuration (192.168.20.x)
- DHCP external but always receives the same IP
- version 4.0.93x
So far I have tried many combinations without success.
Example1:
- created an externally managed "VPN-1 Edge" object
- the Edge VPN-domain topology set as "this gateway"
- attached to a Star communitity
- the policy always fails if a rule references anything to do with VPN???
Example2:
- created an externally managed "Checkpoint Gateway" object
- tunnel connects allowing the Edge to access 10.1.1.x addresses based on
R55 policy
- any attempt to access any Edge address (192.168.20.x) fails with an error
regarding "unknown peer"
I have also tried remote access configurations but could never get a valid
policy to work.
Perhaps I have missed something completely. We had this problem with FP3
before we upgraded and we still have it with R55.
Any ideas or suggestions are welcome!!
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
[EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
[EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
