Hi, Did you try to do the same thing with the device as "Unmanaged device" ? I think there a problem with network topology exchanged between the management and the device... If the device is not managed, you will not find HQ topology on the device: it can be the source of the problem.
--- Harald Astrand <[EMAIL PROTECTED]> a écrit : > Hi, > > I am trying to set up a site-to-site VPN between our > gateway cluster and a > customer VPN-1 Edge device that we will manage. > The gateway cluster is running R55 HFA_17 and the > VPN-1 Edge is running > 6.0.76. > > The customer is using a private subnet > (192.168.1.0/24) behind the VPN-1 > edge, but at the HQ we are using 192.168.0.0/16. > I would therefore like the VPN-1 Edge to translate > 192.168.1.0/24 into > 172.16.1.0/24 before sending it over the VPN > connection. > The customer only needs to access 192.168.2.0/24 in > the HQ network. > > I have now reach a point where some things are > working: > > 1. I can successfully connect from a client in the > HQ (192.168.2.1) to a > machine in the customer network (192.168.1.1) if I > use 172.16.1.1 as the > destination address. > 2. If I have done the connection in step 1, the user > of 192.168.1.1 in the > customer network can successfully access 192.168.2.1 > in the HQ. > > However, if a user in the customer network > (192.168.1.1) tries to access > 192.168.2.1 without any preceeding packet from the > HQ he is not able to > reach the machine. > In the logs of both the VPN-1 Edge and the R55 I can > see that the packets > are accepted and if I use tcpdump on the HQ firewall > I can see the return > packet from 192.168.2.1 but they never reach > 192.168.1.1. > > The VPN encryption domain is currently > 192.168.2.0/24 for the HQ firewall > and 172.16.1.0/24 for the VPN-1 Edge. Is > 192.168.1.0/24 also required in > the VPN domain for the VPN-1 Edge and in that case > how would I prevent the > HQ firewall to route packets to a 192.168.1.0/24 > address over the VPN > tunnel (as I said earlier we want to use all > addresses in 192.168.0.0/16 > inside the HQ and we only want to route packets to > 172.16.1.0/24 over the > tunnel)? > > The network address translations on the VPN-1 Edge > looks like: > > Source Destination Source > Destination > Any 172.16.1.0/24 Original > 192.168.1.0/24 > 192.168.1.0/24 any > 172.16.1.0/24 Original > > A static route for 172.16.1.0/24 has been configured > on the VPN-1 Edge to > point to the local LAN of the customer to fix > anti-spoofing errors > messages that occured before. > The VPN-1 Edge is currently managed from our Smart > Centre and is not > configured to be an externally managed gateway. > > Any help would be very much appreciated! > > Regards, > > Harald > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ___________________________________________________________________________ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
