FW: [fw-wiz] VPN Problems between WatchGuard Firebox 700 and Nets creen 5

From: David Klein (dklein_at_netscreen.com)
Date: 03/02/04

  • Next message: Al Cooper: "[fw-wiz] PIX to PIX IPSec Tunnel Through a PIX"
    To: "'David Kison'" <garetjax@keester.com>
    Date: Tue, 2 Mar 2004 13:53:02 -0800
    
    

    David,

    I'm assuming you are using policy-based VPN's (a policy with the "tunnel"
    action keyword) and not route-based VPN's (a tunnel linked to a pseudo
    interface with static routes into that interface/tunnel). If so then make
    sure you have two policies enabled for the tunnel. Basically it sounds like
    your:
             "set pol from untrust to trust ... vpn ..." is working but your:
             "set pol from trust to untrust ... vpn ..." policy is not working.
    Either check to make sure it's there and if so then make sure it is
    positioned properly so it is not shadowed by something like a:
             "set pol from trust to untrust any any any permit" policy.

    Dave Klein
    NetScreen SE

    -----Original Message-----
    From: David Kison [mailto:garetjax@keester.com]
    Sent: Tuesday, March 02, 2004 11:29 AM
    To: firewall-wizards@honor.icsalabs.com
    Subject: [fw-wiz] VPN Problems between WatchGuard Firebox 700 and Netscreen
    5

    Good Morning.

    I am currently experiencing getting a IPSEC VPN between a WatchGuard Firebox
    700 and a Netscreen 5 functioning in both directions. I am able to pass
    traffic from behind the Firebox to the remote network and get a return but
    if I am attempt to pass traffic from behind the Netscreen 5, I am 100%
    unsuccessful. In the traffic logs on the WatchGuard, I am seeing denies
    related to spoofed source packets on the IPSEC "interface". It appears that
    the Netscreen is passing the public address of the firewall instead of the
    private address of the initiating system behind the Netscreen. Both
    firewalls are NATing private Class C networks.

    I am out of ideas on the issue. Has anyone seen a similar issue? Any
    solutions?

    Thanks in advance.

    Dave

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Al Cooper: "[fw-wiz] PIX to PIX IPSec Tunnel Through a PIX"

    Relevant Pages

    • Re: Terminal Server Setup
      ... description GRE Tunnel Source Interface ... input packets with dribble condition detected ... output buffer failures, ...
      (comp.dcom.sys.cisco)
    • Re: Terminal Server Setup
      ... ~ description GRE Tunnel Source Interface ... ~ interface Serial1/0 ... ~ 0 output buffer failures, ...
      (comp.dcom.sys.cisco)
    • NAT problem over multiple links
      ... Dialer 4 is the primary link and Dialer 3 is the secondary ... interface Tunnel1 ... description Tunnel FForestTelstra to AlexandriaPT ... access-list 1 permit 202.154.79.0 0.0.0.7 ...
      (comp.dcom.sys.cisco)
    • Re: OpenVPN server (win32) wrong Netmask
      ... Laptop and server1 are both windows 2000 machines. ... An IP tunnel has two sets of addresses: ... When doing basic routing, the route ... local tun interface directly ...
      (comp.os.linux.networking)
    • RE: [fw-wiz] Pix LAN-To-LAN Problem
      ... and attempt to bring the tunnel up. ... access-list bound to the inside interface (or whichever interface the ... local VPN traffic arrives at the firewall. ... > I have a border router above my firewall and no ...
      (Firewall-Wizards)