[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] gateway connected to both endpoints scheme

To: "'Emili Badia'" <[email protected]>, [email protected]
Subject: RE: [FW1] gateway connected to both endpoints scheme
From: "Jarmoc, Jeff" <[email protected]>
Date: Tue, 5 Sep 2000 13:50:21 -0500
Sender: [email protected]


It sounds to me like your encryption domains are overlapping.  Encryption
Domains are used to specify hosts which reside behind each firewall.  If
each firewall has access to domain_1 and domain_2 on one of it's internal
interfaces, then encrypting traffic isn't necessary since each firewall can
access those hosts locally already.  If each firewall has only one domain on
it's internal interfaces, only those domains which are internal (relative to
that firewall) should be in it's encryption domain.  

For example, suppose you have;
Domain_1  <--->  Firewall_1 <---Internet---> Firewall_2 <---> Domain_2
Then Firewall_1's encryption domain should be Domain_1, and Firewall_2
should have Domain_2 as it's encyption domain.

On the other hand if you have;
  	   Internet
	/	       \
 Firewall_1      Firewall_2
	|     \ /      |
      |      X       |
      |     / \      |
  Domain_1 /   \ Domain_2
Then each firewall can communicate directly with each domain without
encrypting traffic, so there's no need for the encrypt rules.

If you have the first layout, you'll need to modify your encryption domains.
If you have the second, then there's really no need for the firewalls to do
encryption.

Let me know if I can clarify further.

-----Original Message-----
From: Emili Badia [mailto:[email protected]]
Sent: Tuesday, September 05, 2000 12:07 PM
To: [email protected]
Subject: [FW1] gateway connected to both endpoints scheme



We have a VPN configuration that fails to encrpyt communications.

Log file shows next message:

encryption failure: gateway connected to both endpoints scheme: FWZ

the rules we have are:

Sourc     Destination      Service     Action     Track
domain_1    domain_2    Any        Encrypt     Long
domain_2    domain_1    Any         Encrypt    Long

In the firewall we have in the first domain, when we configure encription
domain we just add an object that includes the domain_1 and domain_2.
The same in the second firewall.
Any idea?




============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] Firewall log not consistant with rule base.
Next by Date: RE: [FW1] choice bw nt or linux
Prev by thread: RE: [FW1] gateway connected to both endpoints scheme
Next by thread: RE: [FW1] Installing service packs
Index(es):
- Date
- Thread