NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] VPN on two external FW-1 interfaces



Hi,

I have been trying to setup VPN on two interfaces as well. I setup
:resolve_multiple_interfaces (true) (SP2 Release Notes) as well as accepting
initial RDP pakets for interface lookups.

Using that the VPN tunnel is established successfully however after 10min,
SecuRemote does a IKE Quickmode with the primary configured IP address in
the workstation dialog which is not reachable. It does not use the IP
address of the tunnel endpoint!!!

I have create log files and submitted a bug report to the distributor
however I did not yet get any response.

I hope Checkpoint NG will be able to support VPNs on different interfaces.


Josef

> -----Original Message-----
> From:	Chandler, Greg [SMTP:[email protected]]
> Sent:	Thursday, May 10, 2001 4:41 PM
> To:	'[email protected]'
> Subject:	[FW1] VPN on two external FW-1 interfaces
> 
> 
> I have FW-1 version 4.1 build 41489 running on Solaris 2.6.  I have two
> Internet feeds running into this firewall.  I also have VPN tunnels
> terminated on the primary interface (ie: the IP address in the firewall
> object's main window).  The remote VPN devices are a mix of FreeSWAN and
> Instant Internet VPN appliances.  I am using ISAKMP, MD5, Single DES, and
> pre-shared secrets for the VPN tunnels.
> 
> Due to link utilization issues, I would like to run some, but not all, of
> my
> VPN traffic on the second Internet feed.  So, I created another gateway
> object (not a FW-1 object) that is identified by the IP address of the
> secondary Internet feed, with an encryption domain of the internal
> network,
> which is the same encryption domain (same Network object) used by the
> primary FW-1 object.  
> 
> The VPN tunnel comes up and session keys are negotiated using the IP
> address
> of the secondary Internet feed on the firewall.  The problem is that the
> firewall then proceeds to use the primary interface to send VPN data to
> the
> remote.  The remote rejects it, of course, since it does not have a VPN
> session established with that particular IP address.  However, if the
> remote
> sends encrypted traffic to the secondary address of the firewall, the
> traffic is decrypted, and forwarded to the ultimate destination on the
> internal network.  This has been confirmed by examining logs and protocol
> traces.
> 
> The question is: is there a fix that will allow the firewall to encrypt on
> two external interfaces concurrently?  Is this a configuration issue, or
> is
> there a software patch?
> 
> 
> Thank you in advance for everyone's help.
> 
> Regards,
> 
> 
> Greg Chandler
> Systems Engineer
> Williams Communications
>> 
> 
> 
> ==========================================================================
> ======
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.