Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] VPN on two external FW-1 interfaces

To: "'[email protected]'" <[email protected]>
Subject: [FW1] VPN on two external FW-1 interfaces
From: "Chandler, Greg" <[email protected]>
Date: Thu, 10 May 2001 09:41:21 -0500
Sender: [email protected]

I have FW-1 version 4.1 build 41489 running on Solaris 2.6.  I have two
Internet feeds running into this firewall.  I also have VPN tunnels
terminated on the primary interface (ie: the IP address in the firewall
object's main window).  The remote VPN devices are a mix of FreeSWAN and
Instant Internet VPN appliances.  I am using ISAKMP, MD5, Single DES, and
pre-shared secrets for the VPN tunnels.

Due to link utilization issues, I would like to run some, but not all, of my
VPN traffic on the second Internet feed.  So, I created another gateway
object (not a FW-1 object) that is identified by the IP address of the
secondary Internet feed, with an encryption domain of the internal network,
which is the same encryption domain (same Network object) used by the
primary FW-1 object.  

The VPN tunnel comes up and session keys are negotiated using the IP address
of the secondary Internet feed on the firewall.  The problem is that the
firewall then proceeds to use the primary interface to send VPN data to the
remote.  The remote rejects it, of course, since it does not have a VPN
session established with that particular IP address.  However, if the remote
sends encrypted traffic to the secondary address of the firewall, the
traffic is decrypted, and forwarded to the ultimate destination on the
internal network.  This has been confirmed by examining logs and protocol
traces.

The question is: is there a fix that will allow the firewall to encrypt on
two external interfaces concurrently?  Is this a configuration issue, or is
there a software patch?


Thank you in advance for everyone's help.

Regards,


Greg Chandler
Systems Engineer
Williams Communications================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Follow-Ups:
- Re: [FW1] VPN on two external FW-1 interfaces
  - From: CryptoTech <[email protected]>

Prev by Date: Re: [FW1] beginner's question on DNS
Next by Date: RE: [FW1] outlook slow or timesout through SecuRemote
Previous by thread: RE: [FW1] Proxy and Intranet + FireWall
Next by thread: Re: [FW1] VPN on two external FW-1 interfaces
Index(es):
- Date
- Thread