We observe a strange behaviour on vpn between Cisco Router (LAN A) and Checkpoint (LAN B).
* checkpoint secureplatform NGX R65 HFA_30, Hotfix630 Build 007
* Cisco Router 2801 with IOS c2801-advsecurityk9-mz.124-2.T.bin
In vpn host-to-site (Cisco-Checkpoint) on these appliance, some hosts in LAN B (behind Checkpoint) are unreachable.
When one of these unreachable hosts in LAN B ping the host in LAN A, they became reachable.
Checkpoint's VPN Domain and router's crypto map access lists are correctly aligned.
Checkpoint Tunnel Management is configured as 'One VPN tunnel per subnet pair'; also SolutionID sk16536 was applied to avoid network summarization.
"sh crypto ipsec sa" output command from Cisco Router show me a lot of host-to-host tunnel and not host-to-site: is this a normal behaviour?
Host defined in LAN A check every 5 minutes hosts in LAN B; in Checkpoint log I cannot find any info about IKE session goes down.
In attach 'sh crypto ipsec sa.txt' detail.
Is there any best practices for this kind of configuration?
Instead of currently host-to-site, could a site-to-site (with ACL to authorize only LAN A host) configuration solve this trouble?