Hi, I'm trying to set a site-to-site VPN between CheckPoint VPN-1 NGX on SPLAT and a FortiGate 60 device.
The VPN-1 has a public IP address while the Fortigate has a private address and is hidden behind a broadband router with public IP address, as described in the following chain. NETWORK_A <-> VPN-1 <-> Internet <-> BB_ROUTER <-> Fortigate <-> NETWORK_B Without any kind of inbound static NAT entries at the broadband router, I'm able to rise the tunnel as long it's the FortiGate to take the first step. Test #1 With the tunnel up, the traffic sent from the Fortigate's vpn domain (NETWORK_A) to the VPN-1's vpn domain (NETWORK_B) goes through the tunnel and arrives at the VPN-1 noticing on the checkpoint logs a "decrypt" entry. But the replies are not encrypted and sent back through the tunnel. With a tcpdump on the tunnel endpoint interface of the VPN-1 is possible to see the SYNs arriving and the SYN-ACKs are generated but not sent back. Because of this, some retransmissions of the SYNs are made. Test #2 With the tunnel up, the sent traffic from NETWORK_A to NETWORK_B is not encrypted by the VPN-1 as expected. I see on the logs two entries stating the "encryption failure reason (...) no valid SA" and "encryption failure: no response from peer". The VPN-1 knows that it should encrypt such traffic but is unable to accomplish. I'm pretty sure that the tunnel is up at the FortiGate side, and I can see the inbound and outbound SAs. On the VPN-1 I'm not so sure. When I run "vpn tu" and list the IPSec SAs, I see both for inbound and outbound, but the SmartView Monitor show no tunnels in "my community" even though it counts 1 gateway to gateway tunnel in the status. So, I am wondering if it's possible to have a VPN where one of the gateways is behind a NAT device. Best regards, Pedro Boavida Systems Engineer ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
