Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] VPN on two external FW-1 interfaces

To: "Chandler, Greg" <[email protected]>
Subject: Re: [FW1] VPN on two external FW-1 interfaces
From: CryptoTech <[email protected]>
Date: Fri, 11 May 2001 09:37:49 -0500
Cc: "'[email protected]'" <[email protected]>
References: <77DF1B0A88CCD311989F00D0B74043B1064BCE03@wcghoue004.wcg.williams.com>
Reply-to: [email protected]
Sender: [email protected]

Greg,
There is no fix for this.  The problems lies in the firewalls IKE ip being hard
coded to the ip address of the workstation object.  No amount of creation of
additional objects will work around this, as it occurs at the fw-kernel level.

Upcoming releases promise a fix.

CT

"Chandler, Greg" wrote:

> I have FW-1 version 4.1 build 41489 running on Solaris 2.6.  I have two
> Internet feeds running into this firewall.  I also have VPN tunnels
> terminated on the primary interface (ie: the IP address in the firewall
> object's main window).  The remote VPN devices are a mix of FreeSWAN and
> Instant Internet VPN appliances.  I am using ISAKMP, MD5, Single DES, and
> pre-shared secrets for the VPN tunnels.
>
> Due to link utilization issues, I would like to run some, but not all, of my
> VPN traffic on the second Internet feed.  So, I created another gateway
> object (not a FW-1 object) that is identified by the IP address of the
> secondary Internet feed, with an encryption domain of the internal network,
> which is the same encryption domain (same Network object) used by the
> primary FW-1 object.
>
> The VPN tunnel comes up and session keys are negotiated using the IP address
> of the secondary Internet feed on the firewall.  The problem is that the
> firewall then proceeds to use the primary interface to send VPN data to the
> remote.  The remote rejects it, of course, since it does not have a VPN
> session established with that particular IP address.  However, if the remote
> sends encrypted traffic to the secondary address of the firewall, the
> traffic is decrypted, and forwarded to the ultimate destination on the
> internal network.  This has been confirmed by examining logs and protocol
> traces.
>
> The question is: is there a fix that will allow the firewall to encrypt on
> two external interfaces concurrently?  Is this a configuration issue, or is
> there a software patch?
>
> Thank you in advance for everyone's help.
>
> Regards,
>
> Greg Chandler
> Systems Engineer
> Williams Communications
>>
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] VPN on two external FW-1 interfaces
  - From: "Chandler, Greg" <[email protected]>

Prev by Date: Re: AW: [FW1] Routing incorrect on internal server that is accessed with Secure Remote
Next by Date: RE: [FW1] FW-1 One External Interface- NAT to several public addresses
Previous by thread: [FW1] VPN on two external FW-1 interfaces
Next by thread: [FW1] VPN on two external FW-1 interfaces
Index(es):
- Date
- Thread