1. Home
  2. Cisco Systems
  3. Router to Router VPN Issue

Router to Router VPN Issue

I am trying to set up a 2621 router to create a VPN tunnel through 2 checkpoint firewalls to a 3640 router on the the other end. I can get the tunnel to establish and can ping both sides of the tunnel from the respective routers. When I try to ping host PC's on either side of the tunnel the packet seems to get lost in the 3640 or in the firewall although the logs do not show the packet reaching the firewall. Etheral running on the host PC's shows the packet being requested and being replied to, tracert shows the packet dies after it hits the 3640. The set up is as follows:

Host A----> 2621---> Nokia Checkpoint Firewall----> cloud----> Nokia Checkpoint firewall----> 3640----> Host B

Any thoughts or ideas would be much appreciated! Thanks!!

Reply to
taylorrl
Loading thread data ...

Have you tried to turn on the debug of ip packet and Nat on the 3640 ? Access-list is another place that might block your packet because of some "deny" statement.

DT

Reply to
dt1649651

The debug ip packet shows that it is forwarding the packet on to the next hop gateway which is the checkpoint firewall and not the 2621.... is that correct?

Thanks again!

-=R

Reply to
taylorrl

When ypu ping from host A to host B, on the 3640, do you see :

  1. the ping packet of host A coming from the interface that connects to the checkpoint fw ?
  2. the ping packet go to host B on the other interface
  3. the replied packet from host B comes to the router
  4. that packet is forwared to the checkpoint ?

I think if it shows you miss one of these, then it may helps to find the culprit.

DT

Reply to
dt1649651

The 3640 shows it being forwarded to the checkpoint. Same thing happens on the other side, when pinging from host B through the 2621 the packet is forwarded on to the checkpoint. I think I will try removing the checkpoints from the setup and see if that helps things. If so I guess I am off to a checkpoint board to see what I need to add.

Thanks again!

-=R

Reply to
taylorrl

Update. I am having Cisco check on this issue but I got the configuration to work once I set the Diffie-Hellman group instead of the default value. I am sure this may be a bug in either 12.1 which is on the 2621 or 12.3 which is running on the 3640. Also test a few theories on this issue I removed the group settings and let them revert back to their default values and it still worked, so the bug maybe in that the Diffie-Hellman group on one of the IOS versions does not set itself until you interact with it. Again, I do not know for sure but as soon as Cisco TAC gets back with me I will post their findings.

-=R

Reply to
taylorrl

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.