IPSEC between PfSENSE and Checkpoint R65
i have some trouble to get the IPSEC to work. There are multiple Networks behind the Checkpoint i need to reach. So i definied multiple Tunnels to the Checkpoint.
192.168.0.1/24 PFSENSE –-----INTERNET---------- Checkpoint -------- eg 10.1.0.0/10 and 192.168.140/24
IPSEC phase 1 is working. IPSEC status in GUI is green (Tunnel up).
If someone from a net behind Checkpoint firewall trys to reach an Ip from Local pfsense network i got errors.
eg ping from 10.1.1.10 to 192.168.0.50
2010-07-09 12:12:37: DEBUG: check and compare ids : value mismatch (IPv4_subnet)
Is there maybe a problem with identifiers with multible tunnels? All Tunnels have id=0.
2010-07-09 12:12:37: DEBUG: evaluating sainfo: loc='220.127.116.11/24', rmt='10.1.0.0/10', peer='ANY', id=0
2010-07-09 12:12:37: DEBUG: evaluating sainfo: loc='18.104.22.168/24', rmt='192.168.140.0/24', peer='ANY', id=0
in docs i found:
Without unique identifiers for each tunnel between two given routers, the ipsec daemon cannot distinguish between the traffic for each tunnel, and will likely drop/lose packets.
On Checkpoint side there is only 1 tunnel vpn-domain-policy based.
It may be an issue with multiple tunnels going to the checkpoint. You might try a 2.0 snapshot, you can have multiple phase 2 networks inside of a phase 1 definition there.
i got it to work with Pfsense 1.2.3. After some debugging we corrected Phase 2 remote network settings.
Tunnel is up and working like a charm.