Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

FW: VPN Problems between WatchGuard Firebox 700 and Nets creen 5

From: David Klein <dklein () netscreen com>
Date: Tue, 2 Mar 2004 13:53:02 -0800
David,

I'm assuming you are using policy-based VPN's (a policy with the "tunnel"
action keyword) and not route-based VPN's (a tunnel linked to a pseudo
interface with static routes into that interface/tunnel).  If so then make
sure you have two policies enabled for the tunnel.  Basically it sounds like
your:
         "set pol from untrust to trust ... vpn ..." is working but your:
         "set pol from trust to untrust ... vpn ..." policy is not working.
Either check to make sure it's there and if so then make sure it is
positioned properly so it is not shadowed by something like a:
         "set pol from trust to untrust any any any permit" policy.

Dave Klein
NetScreen SE 

-----Original Message-----
From: David Kison [mailto:garetjax () keester com] 
Sent: Tuesday, March 02, 2004 11:29 AM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] VPN Problems between WatchGuard Firebox 700 and Netscreen
5

Good Morning.

I am currently experiencing getting a IPSEC VPN between a WatchGuard Firebox
700 and a Netscreen 5 functioning in both directions.  I am able to pass
traffic from behind the Firebox to the remote network and get a return but
if I am attempt to pass traffic from behind the Netscreen 5, I am 100%
unsuccessful.  In the traffic logs on the WatchGuard, I am seeing denies
related to spoofed source packets on the IPSEC "interface".  It appears that
the Netscreen is passing the public address of the firewall instead of the
private address of the initiating system behind the Netscreen.  Both
firewalls are NATing private Class C networks.

I am out of ideas on the issue.  Has anyone seen a similar issue?  Any
solutions?

Thanks in advance.

Dave

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: