Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] HA configuration and VPN

To: "'[email protected]'" <[email protected]>
Subject: [FW1] HA configuration and VPN
From: Mike Junk <[email protected]>
Date: Wed, 20 Sep 2000 15:45:16 -0400
Sender: [email protected]

I seem to be stuck on getting both HA and VPN working at the same time.  I'm
most confused about how the workstation objects' IP addresses need to change
for the implementation.  I currently have the following setup before HA is
configured.
1.  Management module (M1) on private (non-routable) network
2.  Gateway module (G1) with one interface on same private network as M1 and
another with a valid routable IP to the Internet.
3.  Gateway module (G3) in another location with one interface on a private
network and another with a valid routable IP to the Internet.
Currently I have G1 and G3 setup with IKE pre-shared secrets to do VPN.
Both of the workstation objects for G1 and G3 have the IP address facing the
Internet defined as "their" IP address.  This works great with no problems.
I am able to communicate between the two private address ranges just fine.
G1 and G3 both have the appropriate Encryption domains setup.  M1 can push
rules and receives logs from G1 and G3 fine.

Until I bring HA into the picture...

To setup HA I've added a second Gateway module (G2) to the same networks
that G1 is attached to.  I've added the HA licenses to both, setup the HA
properties, configured the shared MAC addresses, and setup synchronization.
I've also added an additional network card to M1, G1, and G2 and connected
all three into a dedicated hub.  G1 and G2 workstation objects have this new
network added to their interfaces list.  I've created a Gateway Cluster
object with an IP address of the public Internet interface of G1 and the
same vpn properties of G1 and have assigned G1 and G2 to this cluster
object.  

To get HA to work I've had to modify the workstation objects of M1, G1, and
G2 to be defined by the IP addresses of the secure network.  This allows me
to push rules to the cluster object.  This seems to work for non-vpn
connections (I'm able to have telnet and ftp sessions active with public
entities and fail between G1 and G2) but the vpn between the Gateway Cluster
object and G3 is gone.  My log shows G3 trying to send vpn traffic to the
now reconfigured G1 ip address and it, of course, doesn't get a reply.  I've
tried all sorts of IP address changes (public, private) for G1 and G2 and
have even created new objects for their public addresses and substituted
those in the rule base where G1 used to be.  Nothing I've tried has helped.

Check Point's documentation for this simply tells me to assign IP addresses
to the gateway cluster object and the gateways "in accordance with the
instructions provided with the third-party solution."  Well, CP is the
solution and I cannot find any documentation by them to address this.

Any help would be greatly appreciated.
Thanks.
Michael Junk
[email protected]



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: [FW1] CCSA & CCSE
Next by Date: [FW1] RE: Licensing FW-1 on Nokia 650.
Previous by thread: RE: [FW1] Licensing FW-1 on Nokia 650.
Next by thread: [FW1] RE: Licensing FW-1 on Nokia 650.
Index(es):
- Date
- Thread