vpn 3000 RRI

Answered Question
May 28th, 2007

hi guys,

i've being working on establishing a vpn between a vpn 3000 and a

checkpoint, the problem i am having on the vpn3000 is that if i dont

select "reverse route injection" it wont establish the vpn.

i thought it may have being because the local lan routes didnt exist

on the vpn 3000, so i added statics to match the network lists, but it

still wouldnt come up, as soon as i enable reverse route injection it

works fine.

any ideas?

thanks

Adam Baxter.

I have this problem too.
0 votes
Correct Answer by ggilbert about 9 years 6 months ago

Adam,

Take out the static routes and also dis-able reverse route injection.

Enable the logs on the concentrator for severity 1-13 for AUTH, AUTHDBG, IKE, IKEDBG, IPSEC & IPSECDBG.

Try to send ping for the interesting traffic. Capture logs and send them to this post, let me take a look at them and see if there is any issue that jumps out.

Cheers

gilbert

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
jaffer_sathik2010 Mon, 05/28/2007 - 03:35

Hi Adam,

Are you performing any load bancing stuff on the vpn concentrator?

Topology:

---------

lan1--(concentrator)-------(checkpoint)--Lan2

In the above topology,If you select RRI on the concentrator,a route for Lan2 networks will be forwarded by the concentrator to the Lan1 segments via concentrator's private interface.

Hope it help. Plz rate all helpful posts.

--Jaffer

Correct Answer
ggilbert Tue, 05/29/2007 - 05:09

Adam,

Take out the static routes and also dis-able reverse route injection.

Enable the logs on the concentrator for severity 1-13 for AUTH, AUTHDBG, IKE, IKEDBG, IPSEC & IPSECDBG.

Try to send ping for the interesting traffic. Capture logs and send them to this post, let me take a look at them and see if there is any issue that jumps out.

Cheers

gilbert

James.Ren Fri, 06/01/2007 - 23:05

Dear adam,

It seems to me that before you enable RRI, you need to enable routing in the Private port for redistributing stuff. There are three rules for injecting reverse routes. However, when you established a L-2-L VPN using Public interface you will find that VPN3000 uses the default gateway address as the next hop of the injected route, not the peer's address.

Cheers,

James Ren

Actions

This Discussion