OK, this is my situation.
I have a site-to-site VPN between a PIX and a checkpoint firewall, and all works well. The type of VPN on the checkpoint side is, simplified. I have one network on the checkpoint object for the VPN encryption domain, and on network for the PIX object as the destination network. All networks mirror each other.
As soon as the policy is pushed and the VPN is up, I can get to the outside interface of the PIX (the tunnel terminating point.) As soon as the tunnel is up and I try to get there by ICMP/traceroute, checkpoint blocks it, and tracker says, no valid SA etc...
I?m confused at this and have tried all sorts to sort it. I need to still get to the PIX on the external interface to manage it. I can put in an exclusion for encrypting which seems to work, but that?s a bodge, and I still can't see why that stops it as the outside interface isn't in the encryption domain. If I try any other spare IP on the external PIX LAN, things are fine, it?s just to the external IP of the PIX I?m having problems with.
Does anyone have any ideas?