cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Re: Trying to setup a VPN gateway to gateway on 8.2.1 Sidewinder

Jump to solution

You have the first on backwards…

          We want to be able to go from FW-2 [internal zone] and FW-1 [external zone] --> [tunnel].  This is a remotely deployed system without WAN connectivity

                    The actual subnet will be from our NZ 172.30.251.0 trying to access address on FW-1 external burb.

           FW-2 [external zone] --> [tunnel] -->  FW-1 [external zone].  This is the same remotely deployed system with WAN connectivity

                    We will Still be trying to tunnel from FW2 (remote) to FW1 local, as FW1 will have all of the FQDN and PKI certificates configured.

They last thing i tried was ro configure our lab as the example in Scenario 1 in the 8.1 Product Guide.

         I only tried to ping during my testing, I will try telnet this afternoon.   I will also set the zone back to VPN

Answers to you r questions

10.100.16.1 is the NZ on remote firewall burb address

It was not I will change tha.

Our DMZ

that is our inside address.  It is the same on both firewalls. We were trying to keep both system as close as possible, as they contian identical subsystems.

sliedl
Level 14
Report Inappropriate Content
Message 12 of 14

Re: Trying to setup a VPN gateway to gateway on 8.2.1 Sidewinder

Jump to solution

What  I meant was, 'What does NZ mean?'  I'm just guessing it means the firewall's address there.

Your last point brings up a scenario I've never thought about (and is a critical piece of information in all of this, by the way, so mention that next time huh? 😞

  • What would happen if you configured a VPN with a Local Network of your firewall's external subnet and a Remote Network of your firewall's internal subnet?
  • Would the routing system or the VPN system pick up the traffic first if you tried to go from your external network to your internal network?
  • That is, will the firewall try to route the traffic out your internal interface first or try to build a VPN tunnel first?

I think the VPN system will pick this up first myself.  It's definitely something to look at because if this is being routed out your internal interface we'll be missing all of that in the audit and tcpdumps on the other interface.  You can verify that easily with a tcpdump on that internal interface (and if it IS being routed out that interface that's why the tcpdumps on the external are showing no port 500 traffic, since the tunnel isn't even attempting to come up).

Re: Trying to setup a VPN gateway to gateway on 8.2.1 Sidewinder

Jump to solution

Ok,  I am much closer, seeing traffic beween the 2 firewalls, however getting no security association errors now.

Current I have only the following configured.

Local firewall

3 Burbs External. internal, and NuetralZone.   The address of the internal 172.30.1.254/24.  The address of the external in 192.168.148.253/24.  The address of the NuetralZone is 172.30.251.254/24.  

Remote firewall

2 burbs external and NuetralZone.     The address of the external is 192.168.149.253/24.  The address of  the NuetralZone is 10.100.16.1/24

The vpn configuration on local firewall is

local network 172.30.251.0/24 remote 10.100.16.0/24 remote gateway 192.168.149.253  burb is nuetralzone

The vpn configuration on remote firewall is

local network 10.100.16.0/24 remote 172.30.251.0/24 remote gateway 192.168.148.253  burb is nuetralzone

I am seeing date on both port 500 and showaudit -vk on both firewalls.

Re: Trying to setup a VPN gateway to gateway on 8.2.1 Sidewinder

Jump to solution

After correcting fat finger error on one configuration, I have it working in our WAN configuration.  This leads me to believe that we will have to redesign our mobile (remote) system network address’s.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community