[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] All Traffic to Central Site via VPN
Jon, You are describing a PPTP or L2TP based firewall. In all IPSec based firewalls, traffic destined for the internet will go direct to the net without wasting bandwidth at the central site. Also traffic between remote sites will pass directly between the relevant sites and not touch the main site. This is the only way to do this with check point. You would just define each vpn device and each sites local network objects, then 1) create a group (encryption_domains for example) and place all the sites network objects into the group-- create a rule encryption_domains encryption_domains <svc> encrypt--and create a nat rule (if nat will be used in the network) that says encryption_domains encryption_domains original original, or you can create many rules defining each sites access to the other sites as separate rules. This will give you tighter control and enable you to avoid the IKE error:peer gateway same as source "Jon R. Allen" wrote: > I am trying to set up a test bed to compare Checkpoint VPN with > Nortel Contivity VPN. The setup requires that remote sites > connect back to Headquarters via an encrypted VPN connection > for all traffic destined for either headquarters OR the Internet. > In other words, this is a non-split-tunneling VPN connection. I > have successfully setup split tunnels before where the remote site > sends traffic out to the internet direction, any only traffic > destined for headquarters gets encrypted on the VPN, but his is > not what they want. > > The problem I am having is what the encryption domains should be > to encrypt everything back to headquarters regardless of whether > it will eventually go out to the internet via headquarters, or > stay within headquarters. > > If anyone can provide some pointers on the encryption domain and > rule settings for each side, I would appreciate it. THanks in > advance. > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|