cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cod6208
Level 7
Report Inappropriate Content
Message 11 of 14
‎03-12-2012 07:09 AM

Re: Trying to setup a VPN gateway to gateway on 8.2.1 Sidewinder

Jump to solution

You have the first on backwards…

          We want to be able to go from FW-2 [internal zone] and FW-1 [external zone] --> [tunnel].  This is a remotely deployed system without WAN connectivity

                    The actual subnet will be from our NZ 172.30.251.0 trying to access address on FW-1 external burb.

           FW-2 [external zone] --> [tunnel] -->  FW-1 [external zone].  This is the same remotely deployed system with WAN connectivity

                    We will Still be trying to tunnel from FW2 (remote) to FW1 local, as FW1 will have all of the FQDN and PKI certificates configured.

They last thing i tried was ro configure our lab as the example in Scenario 1 in the 8.1 Product Guide.

         I only tried to ping during my testing, I will try telnet this afternoon.   I will also set the zone back to VPN

Answers to you r questions

10.100.16.1 is the NZ on remote firewall burb address

It was not I will change tha.

Our DMZ

that is our inside address.  It is the same on both firewalls. We were trying to keep both system as close as possible, as they contian identical subsystems.

0 Kudos
Reply
sliedl
Level 14
Report Inappropriate Content
Message 12 of 14
‎03-12-2012 10:14 AM

Re: Trying to setup a VPN gateway to gateway on 8.2.1 Sidewinder

Jump to solution

What  I meant was, 'What does NZ mean?'  I'm just guessing it means the firewall's address there.

Your last point brings up a scenario I've never thought about (and is a critical piece of information in all of this, by the way, so mention that next time huh? 😞

  • What would happen if you configured a VPN with a Local Network of your firewall's external subnet and a Remote Network of your firewall's internal subnet?
  • Would the routing system or the VPN system pick up the traffic first if you tried to go from your external network to your internal network?
  • That is, will the firewall try to route the traffic out your internal interface first or try to build a VPN tunnel first?

I think the VPN system will pick this up first myself.  It's definitely something to look at because if this is being routed out your internal interface we'll be missing all of that in the audit and tcpdumps on the other interface.  You can verify that easily with a tcpdump on that internal interface (and if it IS being routed out that interface that's why the tcpdumps on the external are showing no port 500 traffic, since the tunnel isn't even attempting to come up).

View solution in original post

0 Kudos
Reply
cod6208
Level 7
Report Inappropriate Content
Message 13 of 14
‎03-12-2012 01:54 PM

Re: Trying to setup a VPN gateway to gateway on 8.2.1 Sidewinder

Jump to solution

Ok,  I am much closer, seeing traffic beween the 2 firewalls, however getting no security association errors now.

Current I have only the following configured.

Local firewall

3 Burbs External. internal, and NuetralZone.   The address of the internal 172.30.1.254/24.  The address of the external in 192.168.148.253/24.  The address of the NuetralZone is 172.30.251.254/24.  

Remote firewall

2 burbs external and NuetralZone.     The address of the external is 192.168.149.253/24.  The address of  the NuetralZone is 10.100.16.1/24

The vpn configuration on local firewall is

local network 172.30.251.0/24 remote 10.100.16.0/24 remote gateway 192.168.149.253  burb is nuetralzone

The vpn configuration on remote firewall is

local network 10.100.16.0/24 remote 172.30.251.0/24 remote gateway 192.168.148.253  burb is nuetralzone

I am seeing date on both port 500 and showaudit -vk on both firewalls.

0 Kudos
Reply
cod6208
Level 7
Report Inappropriate Content
Message 14 of 14
‎03-12-2012 04:16 PM

Re: Trying to setup a VPN gateway to gateway on 8.2.1 Sidewinder

Jump to solution

After correcting fat finger error on one configuration, I have it working in our WAN configuration.  This leads me to believe that we will have to redesign our mobile (remote) system network address’s.

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC