In the "vpn-communities" properties , you need to set the vpn type as one vpn tunnel per gateway for route-based vpns that uses 0.0.0.0/0s for proxy-id {aka traffic selectors }
If you do not enable this, you will have mismatches and the tunnel will never work.
TIP: use the expert mode to see the negotiate for the SPI inbound and outbound
e.g
fw tab -t inbound_SPI -m 1000
fw tab -t outbound_SPI -m 1000
It would look similar to the below when all 0s are in play.
9:26:37 5 N/A N/A 10.20.204.4 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; SPI: 13608394; Protocol: IPSEC_ESP_SA(2); Schema: IKE(3); Me: 172.20.12.9; Peer: 12.0.1.132; Owner: 127.0.0.1; MyRange:First: ; Last: 255.255.255.255; PeerRange:First: ; PeerLast: 255.255.255.255; HWInitialized: NO; MSPI: 4160; Host: 172.20.12.9; Expires: 2327/3610; LastUpdateTime: 3Apr2020 9:26:37; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment