I have someone on our internal network that needs to vpn to a customer's site. I've set up a rules on the outside interface allowing pptp and gre from the server that the person is connecting to, to our internal network. The user is able to connect and authenticate, but after that they are not able to get to any of the servers on their customer's site.
The person is using the checkpoint vpn client to connect.
Just went through this process (except client was Cisco and firewall was FWSM context). Try enabling esp inbound:
access-list whatever extended permit esp host server any
or something like that. If that doesn't work, make sure you have an explicit "deny ip any any log" at the end of your inbound acl, have the level set correctly, and review the log. You should messages sourced from the server being denied, which will tell you what you need to allow.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...