Have you checked your VPN domain, and also your anti-NAT rule between site-to-site LANs?
-----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Darren Martz Sent: Monday, July 19, 2004 1:52 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] R55 / Edge - Site to Site Thank you Robert, I tried what you suggested using an externally managed object in a site to site. I was able to connect to the R55 box from the Edge appliance, but the reverse connection reported the following error: "Encryption fail reason: Cannot identify peer for encrypted connection (VPN Error code 02)" In a test to connect from the R55 to the Edge, I need to remove the external object from the VPN community or the same error occurs. If you have a document on this and are willing to share your experiences I would be very grateful!! So far I have only been able to create one-way tunnels. I wonder if the R55 box is not configured correctly, cause the Edge appliances don't have much to them for options. And many others are able to connect. The R55 object does not use auto NAT, and each server behind the box is a node-object with static-nat settings. The node-objects are given a NAT ip address, then in the NAT section given the static IP using method "static". Maybe that's the problem? -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Robert Plaenk Sent: Monday, July 19, 2004 6:25 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] R55 / Edge - Site to Site If all you're doing is site-to-site, you can do it just like any other VPN. Create an extenally managed Check Point object and use either certificate or pre-shared key. Then it's easy. If you decide you want central management, I have a doc that describes the step-by-step process. And it works. I've done it both ways and works without a problem. -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Darren Martz Sent: Saturday, July 17, 2004 2:55 AM To: [EMAIL PROTECTED] Subject: [FW-1] R55 / Edge - Site to Site What is the best way to setup a site to site tunnel between an NG AI R55 box and an Edge X appliance? Some key points about the R55 box: - Running on SecurePlatform - Head office - Static NAT configuration (10.1.1.x) - All public addresses are static - version R55 HFA 04 Some key points about the Edge appliance: - Self managed (not managed by the R55 box) - Remote office - NAT configuration (192.168.20.x) - DHCP external but always receives the same IP - version 4.0.93x So far I have tried many combinations without success. Example1: - created an externally managed "VPN-1 Edge" object - the Edge VPN-domain topology set as "this gateway" - attached to a Star communitity - the policy always fails if a rule references anything to do with VPN??? Example2: - created an externally managed "Checkpoint Gateway" object - tunnel connects allowing the Edge to access 10.1.1.x addresses based on R55 policy - any attempt to access any Edge address (192.168.20.x) fails with an error regarding "unknown peer" I have also tried remote access configurations but could never get a valid policy to work. Perhaps I have missed something completely. We had this problem with FP3 before we upgraded and we still have it with R55. Any ideas or suggestions are welcome!! ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
