Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Jon,
You are describing a PPTP or L2TP based firewall.  In all IPSec based firewalls,
traffic destined for the internet will go direct to the net without wasting
bandwidth at the central site.  Also traffic between remote sites will pass directly
between the relevant sites and not touch the main site.  This is the only way to do
this with check point.

You would just define each vpn device and each sites local network objects, then 1)
create a group (encryption_domains for example) and place all the sites network
objects into the group-- create a rule encryption_domains encryption_domains <svc>
encrypt--and create a nat rule (if nat will be used in the network) that says
encryption_domains encryption_domains original original,
or you can create many rules defining each sites access to the other sites as
separate rules.  This will give you tighter control and enable you to avoid the IKE
error:peer gateway same as source

"Jon R. Allen" wrote:

> I am trying to set up a test bed to compare Checkpoint VPN with
> Nortel Contivity VPN.  The setup requires that remote sites
> connect back to Headquarters via an encrypted VPN connection
> for all traffic destined for either headquarters OR the Internet.
> In other words, this is a non-split-tunneling VPN connection. I
> have successfully setup split tunnels before where the remote site
> sends traffic out to the internet direction, any only traffic
> destined for headquarters gets encrypted on the VPN, but his is
> not what they want.
>
> The problem I am having is what the encryption domains should be
> to encrypt everything back to headquarters regardless of whether
> it will eventually go out to the internet via headquarters, or
> stay within headquarters.
>
> If anyone can provide some pointers on the encryption domain and
> rule settings for each side, I would appreciate it.  THanks in
> advance.
>
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] All Traffic to Central Site via VPN
  - From: "Jon R. Allen" <[email protected]>

Prev by Date: Re: [FW1] FireWall-1 and Dual CPU machine
Next by Date: Re: [FW1] FTP problems through 4.1 sp-2 looking for Ideas
Previous by thread: [FW1] All Traffic to Central Site via VPN
Next by thread: [FW1] All Traffic to Central Site via VPN
Index(es):
- Date
- Thread

Re: [FW1] All Traffic to Central Site via VPN