[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] VPN on two external FW-1 interfaces
Hi, I have been trying to setup VPN on two interfaces as well. I setup :resolve_multiple_interfaces (true) (SP2 Release Notes) as well as accepting initial RDP pakets for interface lookups. Using that the VPN tunnel is established successfully however after 10min, SecuRemote does a IKE Quickmode with the primary configured IP address in the workstation dialog which is not reachable. It does not use the IP address of the tunnel endpoint!!! I have create log files and submitted a bug report to the distributor however I did not yet get any response. I hope Checkpoint NG will be able to support VPNs on different interfaces. Josef > -----Original Message----- > From: Chandler, Greg [SMTP:[email protected]] > Sent: Thursday, May 10, 2001 4:41 PM > To: '[email protected]' > Subject: [FW1] VPN on two external FW-1 interfaces > > > I have FW-1 version 4.1 build 41489 running on Solaris 2.6. I have two > Internet feeds running into this firewall. I also have VPN tunnels > terminated on the primary interface (ie: the IP address in the firewall > object's main window). The remote VPN devices are a mix of FreeSWAN and > Instant Internet VPN appliances. I am using ISAKMP, MD5, Single DES, and > pre-shared secrets for the VPN tunnels. > > Due to link utilization issues, I would like to run some, but not all, of > my > VPN traffic on the second Internet feed. So, I created another gateway > object (not a FW-1 object) that is identified by the IP address of the > secondary Internet feed, with an encryption domain of the internal > network, > which is the same encryption domain (same Network object) used by the > primary FW-1 object. > > The VPN tunnel comes up and session keys are negotiated using the IP > address > of the secondary Internet feed on the firewall. The problem is that the > firewall then proceeds to use the primary interface to send VPN data to > the > remote. The remote rejects it, of course, since it does not have a VPN > session established with that particular IP address. However, if the > remote > sends encrypted traffic to the secondary address of the firewall, the > traffic is decrypted, and forwarded to the ultimate destination on the > internal network. This has been confirmed by examining logs and protocol > traces. > > The question is: is there a fix that will allow the firewall to encrypt on > two external interfaces concurrently? Is this a configuration issue, or > is > there a software patch? > > > Thank you in advance for everyone's help. > > Regards, > > > Greg Chandler > Systems Engineer > Williams Communications >> > > > ========================================================================== > ====== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ========================================================================== > ====== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|