About nitesharbale

@Astardzhiev Finally after a week of troubleshooting, it started working. Thanks for your valuable suggestion, it wont be possible without your help. I will put the changes i made in steps below, so that it would help other folks as well. First read 4-B here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk101219. Below are snaps.   Step 1: changed from "true to "false"   Step 2: changed to false   Step3: changed to false     On PA: Go to Network TAB-->IPSec Tunnel-->Open the tunnel-->inside proxy ID i defined 200.1.1.1(PA local NAT IP, earlier it was 10.172.0.0/24, while troubleshooting i changed to 200.1.1.x) and remote as 10.168.1.1(CP IP). Earlier it was whole subnet i.e 200.1.1.0/24 and 10.168.1.0/24     @Astardzhiev because i have static nat, do i always need to define /32 as proxy ID ? Thanks ... View more

@Astardzhiev Thankyou.. though the issue is not completely resolved. Ping from PA to CP worked fine, but CP to PA is failing. I have static NAT (like i did in PA) and have correct security policy as well. phase 2 shows like this.    2 SAs of all instances: Peer 10.12.1.1 , SITEB-PA-GATEWAY SAs: IKE SA <fef1591def15bc75,e45b67b52d88ed60> (No IPSec SAs)     [Expert@SITEA-GW:0]# fw ctl zdebug + drop | grep "10.168.1.1" @;45251;[vs_0];[tid_2];[fw4_2];fw_log_drop_ex: Packet proto=1 10.168.1.1:2048 -> 10.172.0.10:50919 dropped by fw_ipsec_encrypt_on_tunnel_instance Reason: No error - tunnel is not yet established; @;45251;[vs_0];[tid_2];[fw4_2];fw_log_drop_ex: Packet proto=1 10.168.1.1:2048 -> 10.172.0.10:676 dropped by fw_ipsec_encrypt_on_tunnel_instance Reason: No error - tunnel is not yet established; @;45252;[vs_0];[tid_2];[fw4_2];fw_log_drop_ex: Packet proto=1 10.168.1.1:2048 -> 10.172.0.10:27231 dropped by fw_ipsec_encrypt_on_tunnel_instance Reason: No error - tunnel is not yet established; @;45252;[vs_0];[tid_2];[fw4_2];fw_log_drop_ex: Packet proto=1 10.168.1.1:2048 -> 10.172.0.10:59929 dropped by fw_ipsec_encrypt_on_tunnel_instance Reason: No error - tunnel is not yet established;   I am waiting for their reply and let me see what new comes up in checkpoint now to resolve this. Again thanks for the help sir. ... View more

@Astardzhiev Finally it is working now. Checkpoint is really tricky.    On CP i added both local and original subnet under object group     Thankyou very much for helping and making me this understand. On youtube i found simple S2S vpn. This LAB helped me understand the concept in much better way.  ... View more

Below is what i got   Info: VPN Domain for Gateway Communities are currently not displayed correctly by this tool! VPN Gateway > 10.12.1.1 Encryption domain 10.12.1.1 - 10.12.1.1 10.172.0.0 - 10.172.0.255 VPN Gateway > 192.168.1.1 Encryption domain 10.11.1.0 - 10.11.1.0 10.11.1.1 - 10.11.1.1 10.11.1.2 - 10.11.1.63 192.168.0.253 - 192.168.0.253 192.168.1.0 - 192.168.1.0 192.168.1.1 - 192.168.1.1 192.168.1.2 - 192.168.1.255 Info: VPN Domain for Gateway Communities are currently not displayed correctly by this tool! [Expert@SITEA-GW:0]#     ... View more

Have you tried to run this - https://community.checkpoint.com/t5/Security-Gateways/One-liner-to-show-VPN-topology-on-gateways/td-...   -->No i am afraid to run that, all my configs and troubleshooting done along with you guys would go in vain. And have to start new troubleshooting on CP if any thing goes wrong after running this command. ... View more