s'up list... I got it working finally (but not as I would have liked it to work), thank you for all the proposals, they help us under troubleshooting process; we even got NS people on the line (not to much of a help by the way). with almost 3 days of troubleshooting we all agree that the key element in the phase2 was the network match up just like zafar, claudia, bruce, trevor and some of you mentioned, but even that we had that part defined in both ends, the traffic was still flowing in just one direction (NS->CP)... at the end we noticed that NS was just receiving the host's IP/MASK from my CP's LAN from each and every PC, he didn't received the network, I even enabled the support for key exchange to see if NS got the network instead of the host... so, we tried to lock it down to host to host rules, and it worked.. both sides... but NS had to be configured with a so called 'Proxy-ID' where he defined my host... so at the end, I ended up NATing my whole class C network behind just one IP and permit the NATing in the VPN community, and NS would have defined that NATed ip under his 'Proxy-ID' setting... and bAaM!! Site to site VPN bidirectional requests in both sites... I'm so happy, hehehe I definitely think there's some compatibility issue there, and so does the NS guy, we never had all this workaround under a simple site-to-site. I hope this could help somebody in the future...
have a nice one... miguel >=) -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, August 14, 2006 2:18 PM To: [email protected] Subject: Re: [FW-1] R55 vs Netscreen site-to-site VPN Miguel, Please make sure that the networks/host objects in the encryption domains match up on both the Checkpoint and Netscreen Firewalls. If you have a network in the Checkpoint encryption domain then make sure you have the same network under protected resources in the Netscreen. I would also make sure that the traffic going to the Netscreen Firewall is not being NATED. I hope this helps. Good luck Mehmood Zafar Network Security Analyst CISSP, CISA, CCSA, CCSE MAXIMUS Inc Miguel Angel Gutierrez <[EMAIL PROTECTED]> Sent by: Mailing list for discussion of Firewall-1 <[email protected]> 08/14/2006 02:43 PM Please respond to Mailing list for discussion of Firewall-1 <[email protected]> To [email protected] cc Subject [FW-1] R55 vs Netscreen site-to-site VPN Hi guys... Have u ever had a situation like this before? Site to site vpn (R55 - Netscreen) - Netscreen's LAN can access R55's LAN without any problem - R55's LAN can't access Netscreen's LAN due to a: packet is dropped because there's no valid SA - tracker message. ? -------------------------------------------------------- TELVISTA CERTIFIED ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ______________________________________________________________________ This e-mail has been scanned by MCI Managed Email Content Service, using Skeptic(tm) technology powered by MessageLabs. For more information on MCI's Managed Email Content Service, visit http://www.mci.com. ______________________________________________________________________ ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
