NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Multiple Domain Encryptions



Hi All

I have set up the following infrastructure with Nokia IP440 CP4.1sp2
Firewalls. Routing tables on the Nokia boxes are ok (default route is
pointing to the next hop on the internet, also I am able to ping from
everywhere to any other destination (public IP address on external
interface).
 
Environment:
14 sites, each site has to be able to send data to every other site
(fourteen!). This means, the user can log on to his default domain (NT 2way
domain trust---W2K GC replication with root domain).
I have big difficulties to set up the rules, which allows traffic from
different Encryption Domains (internal networks) using the same VPN tunnel,
eg. LAN(A) traffic with destination LAN(X) should be send over FW1(B) and
not directly to LAN(X). In this case the traffic actually would use IKE(A)
tunnel and after IKE(X) tunnel instead of creating a separate IKE tunnel
between FW1(A) and FW1(X).

Until now, I did set up for each site an IKE connector to each site. As you
properly see in the example, I would have to create for each site several
objects and create huge amount of VPN tunnels.

I think it might have to get a way around this choosen way, also with Cisco
Routers I could assign IP addresses to specific VPN tunnels....(Can I work
on Checkpoint with IP addresses too?)

                          LAN(X)
                           l
                        FW1(WHQ)
                           l
                     203.126..
                           l
                           l IKE(X)
                           l
203.xxx.xxx.180 --- 203.167.xxx.xxx ----- 210.48.xx.xx --------
201.221.xx.xx------ect.
     l          IKE(A)     l          IKE       l         IKE         l
    FW1(A)                FW1(B)               FW1(C)                FW1(D)
     l                     l                    l                     l
     l                     l                    l                     l
10.10.10.1/24         10.10.20.1/24      192.168.254.1/24
172.16.16.1
   LAN(A)               LAN(B)             LAN(C)                   LAN(D)

Example:
-Send ICMP packets from LAN(A)source to LAN(X) destination 
first hop FW1(A) second FW1(B) thirt (FW1(X) (should be like that)

In this example I get the packets encrypted on FW1(A) and sent to FW1(B) but
never get to FW1(X)
All I got is the error message on FW1(B)...neither source nor destination is
in my encryption domain...)

What do I wrong?


Thanks a lot for any help, I will appreciate that very much!

Matt


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.