Re: VPN Problems between WatchGuard Firebox 700 and Netscreen 5

[Scott Higginbotham <scotth () voicenet com>]

David:

Some things to do if your still having the problem -

On the Netscreen side, from the command line:

'set console dbuf'
'debug flow basic'

Check and make sure the packets sent are being encrypted -

you may want to specify a flow filter to narrow down the traffic, you can
use:

'set ffilter src-ip'
'set ffilter dst-ip'

to narrow down the traffic

'get dbuf stream'

will show the debug traffic, and

'clear dbuf'

will reset it out -

'undebug all'  - does just that - stops the debugging.  Hope this helps
you determine the issue -

Scott Higginbotham
Voicenet Network Operations
215.674.9290 or 1.800.835.5710
scotth () voicenet com


On Tue, 2 Mar 2004, David Kison wrote:

> Good Morning.
>
> I am currently experiencing getting a IPSEC VPN between a WatchGuard Firebox
> 700 and a Netscreen 5 functioning in both directions.  I am able to pass
> traffic from behind the Firebox to the remote network and get a return but
> if I am attempt to pass traffic from behind the Netscreen 5, I am 100%
> unsuccessful.  In the traffic logs on the WatchGuard, I am seeing denies
> related to spoofed source packets on the IPSEC "interface".  It appears that
> the Netscreen is passing the public address of the firewall instead of the
> private address of the initiating system behind the Netscreen.  Both
> firewalls are NATing private Class C networks.
>
> I am out of ideas on the issue.  Has anyone seen a similar issue?  Any
> solutions?
>
> Thanks in advance.
>
> Dave
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards