[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] Multiple Domain Encryptions
Hi All I have set up the following infrastructure with Nokia IP440 CP4.1sp2 Firewalls. Routing tables on the Nokia boxes are ok (default route is pointing to the next hop on the internet, also I am able to ping from everywhere to any other destination (public IP address on external interface). Environment: 14 sites, each site has to be able to send data to every other site (fourteen!). This means, the user can log on to his default domain (NT 2way domain trust---W2K GC replication with root domain). I have big difficulties to set up the rules, which allows traffic from different Encryption Domains (internal networks) using the same VPN tunnel, eg. LAN(A) traffic with destination LAN(X) should be send over FW1(B) and not directly to LAN(X). In this case the traffic actually would use IKE(A) tunnel and after IKE(X) tunnel instead of creating a separate IKE tunnel between FW1(A) and FW1(X). Until now, I did set up for each site an IKE connector to each site. As you properly see in the example, I would have to create for each site several objects and create huge amount of VPN tunnels. I think it might have to get a way around this choosen way, also with Cisco Routers I could assign IP addresses to specific VPN tunnels....(Can I work on Checkpoint with IP addresses too?) LAN(X) l FW1(WHQ) l 203.126.. l l IKE(X) l 203.xxx.xxx.180 --- 203.167.xxx.xxx ----- 210.48.xx.xx -------- 201.221.xx.xx------ect. l IKE(A) l IKE l IKE l FW1(A) FW1(B) FW1(C) FW1(D) l l l l l l l l 10.10.10.1/24 10.10.20.1/24 192.168.254.1/24 172.16.16.1 LAN(A) LAN(B) LAN(C) LAN(D) Example: -Send ICMP packets from LAN(A)source to LAN(X) destination first hop FW1(A) second FW1(B) thirt (FW1(X) (should be like that) In this example I get the packets encrypted on FW1(A) and sent to FW1(B) but never get to FW1(X) All I got is the error message on FW1(B)...neither source nor destination is in my encryption domain...) What do I wrong? Thanks a lot for any help, I will appreciate that very much! Matt ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|