Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] VPN on two external FW-1 interfaces

To: "'Greg Chandler'" <[email protected]>, <[email protected]>
Subject: RE: [FW1] VPN on two external FW-1 interfaces
From: "Byoung Sun Yu" <[email protected]>
Date: Mon, 14 May 2001 08:53:36 -0500
Importance: Normal
In-reply-to: <[email protected]>
Reply-to: <[email protected]>
Sender: [email protected]

Greg,

This must be a routing issue. If you see successful decryption on inbound
packets, you're so close. The problem, I believe, is the routing table on
your firewall. Make sure the firewall has set the route to use the secondary
interface for the secondary VPN destination. It sounds like you don't have
one and default gateway is set to use the primary one.
I know there are other peoples with a different opinion regarding this multi
interface VPN. But I can tell you that I got it working before.

Good luck!

Sun Yu, CISSP
Lucent Worldwide Services


> I have FW-1 version 4.1 build 41489 running on Solaris 2.6.
> I have two Internet feeds running into this firewall.  I also
> have VPN tunnels terminated on the primary interface (ie: the
> IP address in the firewall object's main window).  The remote
> VPN devices are a mix of FreeSWAN and Instant Internet VPN
> appliances.  I am using ISAKMP, MD5, Single DES, and
> pre-shared secrets for the VPN tunnels.
>
> Due to link utilization issues, I would like to run some, but
> not all, of my VPN traffic on the second Internet feed.  So,
> I created another gateway object (not a FW-1 object) that is
> identified by the IP address of the secondary Internet feed,
> with an encryption domain of the internal network, which is
> the same encryption domain (same Network object) used by the
> primary FW-1 object.
>
> The VPN tunnel comes up and session keys are negotiated using
> the IP address of the secondary Internet feed on the
> firewall.  The problem is that the firewall then proceeds to
> use the primary interface to send VPN data to the remote.
> The remote rejects it, of course, since it does not have a
> VPN session established with that particular IP address.
> However, if the remote sends encrypted traffic to the
> secondary address of the firewall, the traffic is decrypted,
> and forwarded to the ultimate destination on the internal
> network.  This has been confirmed by examining logs and
> protocol traces.
>
> The question is: is there a fix that will allow the firewall
> to encrypt on two external interfaces concurrently?  Is this
> a configuration issue, or is there a software patch?
>
>
> Thank you in advance for everyone's help.
>
> Regards,
>
>
> Greg Chandler
> Systems Engineer
> Williams Communications
>>
>
>
>
> ==============================================================
> ==================
>      To unsubscribe from this mailing list, please see the
> instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==============================================================
> ==================



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] VPN on two external FW-1 interfaces
  - From: Greg Chandler <[email protected]>

Prev by Date: RE: [FW1] VPN and ping to management server
Next by Date: [FW1] installing new policy remotely
Previous by thread: [FW1] VPN on two external FW-1 interfaces
Next by thread: RE: [FW1] VPN on two external FW-1 interfaces
Index(es):
- Date
- Thread