Checkpoint to Juniper VPN - utterly baffled

  • Hi all,
          hoping someone can help me out with this. We are trying to establish a site to site policy based vpn from an ssg2000 to a checkpoint device ngxr65. Phase 1 and phase 2 seem to complete fine at both ends.

    Currently we have it up and running one way. We are the initiators (juniper) and they can see traffic coming through fine. The problem is when their server tries to reply, the reply doesn’t make it and we aren’t getting any drops seen on the juniper when we do the standard debug ike all, debug flow det and ffiltering for the src or dst ip’s theres just nothing.

    Doing debugging at their end they can see packets being encrypted and encapsulated but then the traffic seems to drop into a big black hole never to be seen again.

    Any ideas?

  • Having exactly the same problem. Can see the packet leave on the Juniper side and arrive on the Checkpoint side. Don’t see any reply on the Juniper side.

    Did you ever get this resolved?

  • Can you paste your config here ?

    What is the policy configured on the Juniper and what is the rule that is configured on Checkpoint.

    Also can you paste the debug flow basic when the issue happens, so we can check what does the debug say.

  • We had similiar problems in the past with Juniper to CP VPNs. We were using PFS in phase 2 and disabled PFS on the CP only. VPN was then working fine for us.

  • Hmm maybe not being clear enough. When we initiate a connection from our side of the vpn (after phase 2 has finished) sending a syn packet they receive it and the server responds with a syn ack. We dont receive that syn ack. The checkpoint encrypts, encapsulates and sends and then we never hear from that packet ever again, no drops no blocks nothing on the Juniper.

  • So you mean to say that VPN is up and fine and devices behind Juniper can talk to devices behind Checkpoint but there is problem when devices behind Checkpoint initiate the traffic to devices behind Juniper ?

    If that is the case then can kill the VPN and then try initiating the traffic from Checkpoint side to the Juniper Side. When you do this provide the below information.

    1. Event log from Juniper.
    2. LOg Viewer output from Checkpoint

    Hope the encryption domains would be same both ways, mean to say Encryption Domain defined on Checkpoint and Address Book entries being used on the Juniper Policies.

    If there is problem in initiating VPN from Checkpoint side then provide the above 2 mentioned information.