Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC between PfSENSE and Checkpoint R65

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      spiritbreaker
      last edited by

      Hi,

      i have some trouble to get the IPSEC to work. There are multiple Networks behind the Checkpoint i need to reach. So i definied multiple Tunnels to the Checkpoint.

      Scenario:

      192.168.0.1/24  PFSENSE –-----INTERNET---------- Checkpoint -------- eg 10.1.0.0/10 and 192.168.140/24

      IPSEC phase 1 is working. IPSEC status in GUI is green (Tunnel up).

      If someone from a net behind Checkpoint firewall trys to reach an Ip from Local pfsense network i got errors.
      eg ping from 10.1.1.10 to 192.168.0.50

      Phase2

      
2010-07-09 12:12:37: DEBUG: check and compare ids : value mismatch (IPv4_subnet)

      Is there maybe a problem with identifiers with multible tunnels? All Tunnels have id=0.

      2010-07-09 12:12:37: DEBUG: evaluating sainfo: loc='172.0.1.0/24', rmt='10.1.0.0/10', peer='ANY', id=0
      2010-07-09 12:12:37: DEBUG: evaluating sainfo: loc='172.0.1.0/24', rmt='192.168.140.0/24', peer='ANY', id=0

      in docs i found:

      Without unique identifiers for each tunnel between two given routers, the ipsec daemon cannot distinguish between the traffic for each tunnel, and will likely drop/lose packets.

      On Checkpoint side there is only 1 tunnel vpn-domain-policy based.

      ty

      cya

      Pfsense running at 11 Locations
      -mobile OPENVPN and IPSEC
      -multiwan failover
      -filtering proxy(squidguard) in bridgemode with ntop monitoring

      1 Reply Last reply Reply Quote 0
      • jimpJ Offline
        jimp Rebel Alliance Developer Netgate
        last edited by

        It may be an issue with multiple tunnels going to the checkpoint. You might try a 2.0 snapshot, you can have multiple phase 2 networks inside of a phase 1 definition there.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • S Offline
          spiritbreaker
          last edited by

          Hi Jimp,

          i got it to work with Pfsense 1.2.3. After some debugging we corrected Phase 2 remote network settings.

          Tunnel is up and working like a charm.

          cya

          :CLOSED

          Pfsense running at 11 Locations
          -mobile OPENVPN and IPSEC
          -multiwan failover
          -filtering proxy(squidguard) in bridgemode with ntop monitoring

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.