NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] VPN on two external FW-1 interfaces

/***************
I apologize for submitting this message again, but my subscription to the mailing list "did not take" this morning, and I may have missed some of your replies.  I would be very grateful for any reposts.
******************/

I have FW-1 version 4.1 build 41489 running on Solaris 2.6.  I have two Internet feeds running into this firewall.  I also have VPN tunnels terminated on the primary interface (ie: the IP address in the firewall object's main window).  The remote VPN devices are a mix of FreeSWAN and Instant Internet VPN appliances.  I am using ISAKMP, MD5, Single DES, and pre-shared secrets for the VPN tunnels.

Due to link utilization issues, I would like to run some, but not all, of my VPN traffic on the second Internet feed.  So, I created another gateway object (not a FW-1 object) that is identified by the IP address of the secondary Internet feed, with an encryption domain of the internal network, which is the same encryption domain (same Network object) used by the primary FW-1 object.  

The VPN tunnel comes up and session keys are negotiated using the IP address of the secondary Internet feed on the firewall.  The problem is that the firewall then proceeds to use the primary interface to send VPN data to the remote.  The remote rejects it, of course, since it does not have a VPN session established with that particular IP address.  However, if the remote sends encrypted traffic to the secondary address of the firewall, the traffic is decrypted, and forwarded to the ultimate destination on the internal network.  This has been confirmed by examining logs and protocol traces.

The question is: is there a fix that will allow the firewall to encrypt on two external interfaces concurrently?  Is this a configuration issue, or is there a software patch?


Thank you in advance for everyone's help.

Regards,


Greg Chandler
Systems Engineer
Williams Communications================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================


 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.