Remote VPN Gateway can't be reached by HTTPs

Hello All,
 
We setup a Site2Site VPN with a customer. 
This VPN Tunnel is correctly working.
 
The customer is asking us to access a webserver which is
hosted on the remote VPN gateway, on port 443. (so remote
VPN Gateway is managing the Site2Site VPN and the
Webserver)
 
=> we setup a rule to allow this connection, directly,
not through the VPN Tunnel.
 
In the logs, this rule is matched, but a "No Valid
SA" error is occuring.
 
Any idea on how to solve that ?
 
Best Regards,
 
Olivier RAFAEL
 
 

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Rafaël Olivier a écrit :
> Hello All,
>   
Hi,
> We setup a Site2Site VPN with a customer. 
> This VPN Tunnel is correctly working.
>  
> The customer is asking us to access a webserver which
is hosted on the remote VPN gateway, on port 443. (so remote
VPN Gateway is managing the Site2Site VPN and the
Webserver)
>  
> => we setup a rule to allow this connection,
directly, not through the VPN Tunnel.
>  
> In the logs, this rule is matched, but a "No Valid
SA" error is occuring.
>   
you wrote above "the vpn tunnel is correctly
working".

this conflicts with "no valid sa".

the sa are generated during phase 2.
so "no valid sa" means the phase 2 doesn't work.

you should check the vpn settings from both side, then
contact your 
checkpoint support 

bon courage. 
>  
> Any idea on how to solve that ?
>  
> Best Regards,
>  
> Olivier RAFAEL
>  
>  

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Hi the webserver has to be reached by the tunnel or by
internet directly?



when you write:

=> we setup a rule to allow this connection, directly,
not through the VPN Tunnel

it seems to be in clear (no in tunnel), is it right?



And I agree pkc if it has to pass through the tunnel you
should check SA'a and rulebase again.



ciao



--

Paolo Riviello

Mob. +39.328.1749468
Home: http://www.paoloriviello
.com
E-mail: paolopaoloriviello.com
Msn: pao_rivihotmail.com
Skype: pao_rivi
-----
I'm a rebel, soul rebel I'm a capturer, soul adventurer
See the morning sun, On the hillside not living good, travel
wide.

> Date: Wed, 24 Oct 2007 10:59:28 +0200
> From: pkc_mlsYAHOO.FR
> Subject: Re: [FW-1] Remote VPN Gateway can't be reached
by HTTPs
> To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
>
> Rafaël Olivier a écrit :
>> Hello All,
>>
> Hi,
>> We setup a Site2Site VPN with a customer.
>> This VPN Tunnel is correctly working.
>>
>> The customer is asking us to access a webserver
which is hosted on the remote VPN gateway, on port 443. (so
remote VPN Gateway is managing the Site2Site VPN and the
Webserver)
>>
>> => we setup a rule to allow this connection,
directly, not through the VPN Tunnel.
>>
>> In the logs, this rule is matched, but a "No
Valid SA" error is occuring.
>>
> you wrote above "the vpn tunnel is correctly
working".
>
> this conflicts with "no valid sa".
>
> the sa are generated during phase 2.
> so "no valid sa" means the phase 2 doesn't
work.
>
> you should check the vpn settings from both side, then
contact your
> checkpoint support 
>
> bon courage. 
>>
>> Any idea on how to solve that ?
>>
>> Best Regards,
>>
>> Olivier RAFAEL
>>
>>
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================

____________________________________________________________
_____
Scarica GRATIS le emoticon della tua squadra del cuore e il
calendario di serie A!
http://www.emoticons-livemessenger.com/pages/m
snitcalcio/index.htm

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Hi,

Thanks for your answers !

The connection to webserver is supposed to go directly on
the Internet, not through the VPN Tunnel.

So, VPN errors should not occur.

But the webserver and remote gateway (for Site2Site VPN) are
the same machine (same IP). That may conflict.

(I already opened a case at Checkpoint Support, but
sometimes takes some time to get answers  ).

Olivier.


-----Message d'origine-----
De : Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]
De la part de Paolo
Envoyé : mercredi 24 octobre 2007 11:25
À : FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
Objet : Re: [FW-1] Remote VPN Gateway can't be reached by
HTTPs

Hi the webserver has to be reached by the tunnel or by
internet directly?



when you write:

=> we setup a rule to allow this connection, directly,
not through the VPN Tunnel

it seems to be in clear (no in tunnel), is it right?



And I agree pkc if it has to pass through the tunnel you
should check SA'a and rulebase again.



ciao



--

Paolo Riviello

Mob. +39.328.1749468
Home: http://www.paoloriviello
.com
E-mail: paolopaoloriviello.com
Msn: pao_rivihotmail.com
Skype: pao_rivi
-----
I'm a rebel, soul rebel I'm a capturer, soul adventurer See
the morning sun, On the hillside not living good, travel
wide.

> Date: Wed, 24 Oct 2007 10:59:28 +0200
> From: pkc_mlsYAHOO.FR
> Subject: Re: [FW-1] Remote VPN Gateway can't be reached
by HTTPs
> To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
>
> Rafaël Olivier a écrit :
>> Hello All,
>>
> Hi,
>> We setup a Site2Site VPN with a customer.
>> This VPN Tunnel is correctly working.
>>
>> The customer is asking us to access a webserver
which is hosted on 
>> the remote VPN gateway, on port 443. (so remote VPN
Gateway is 
>> managing the Site2Site VPN and the Webserver)
>>
>> => we setup a rule to allow this connection,
directly, not through the VPN Tunnel.
>>
>> In the logs, this rule is matched, but a "No
Valid SA" error is occuring.
>>
> you wrote above "the vpn tunnel is correctly
working".
>
> this conflicts with "no valid sa".
>
> the sa are generated during phase 2.
> so "no valid sa" means the phase 2 doesn't
work.
>
> you should check the vpn settings from both side, then
contact your 
> checkpoint support 
>
> bon courage. 
>>
>> Any idea on how to solve that ?
>>
>> Best Regards,
>>
>> Olivier RAFAEL
>>
>>
>
> =================================================
> To set vacation, Out-Of-Office, or away messages, send
an email to 
> LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list, please see the
instructions at 
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
subscription options, 
> email fw-1-ownerts.checkpoint.com 
> =================================================

____________________________________________________________
_____
Scarica GRATIS le emoticon della tua squadra del cuore e il
calendario di serie A!
http://www.emoticons-livemessenger.com/pages/m
snitcalcio/index.htm

=================================================
To set vacation, Out-Of-Office, or away messages, send an
email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription
options, email fw-1-ownerts.checkpoint.com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Rafaël Olivier a écrit :
> Hi,
>
> Thanks for your answers !
>
> The connection to webserver is supposed to go directly
on the Internet, not through the VPN Tunnel.
>
> So, VPN errors should not occur.
>
> But the webserver and remote gateway (for Site2Site
VPN) are the same machine (same IP). That may conflict.
>
> (I already opened a case at Checkpoint Support, but
sometimes takes some time to get answers  ).
>
> Olivier.
>
>   
check in the topology that the remote vpn domain doesn't
include the IP 
of the webserver you'd like to reach.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

If I understand you correctly, the VPN device on the other
side and the
webserver, which is accessable via HTTP (443) have the same
IP. Assuming
that you do not have to pass HTTPS over the VPN tunnel for
any other reason
(i.e. to another server) you could also go into the VPN
community advanced
properties and add https as an excluded service. I believe
this would solve
the problem you are having..

Thanks,
Steve


On 10/24/07, pkc_mls <pkc_mlsyahoo.fr> wrote:
>
> Rafaël Olivier a écrit :
> > Hi,
> >
> > Thanks for your answers !
> >
> > The connection to webserver is supposed to go
directly on the Internet,
> not through the VPN Tunnel.
> >
> > So, VPN errors should not occur.
> >
> > But the webserver and remote gateway (for
Site2Site VPN) are the same
> machine (same IP). That may conflict.
> >
> > (I already opened a case at Checkpoint Support,
but sometimes takes some
> time to get answers  ).
> >
> > Olivier.
> >
> >
> check in the topology that the remote vpn domain
doesn't include the IP
> of the webserver you'd like to reach.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================