[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Checkpoint VPN trouble
Hi Jim, Thanks for that. Unfortunately they are RFC1918 addresses, and I am somewhat amazed that the packets actually make it all the way from Germany without getting blocked as spoofing :) I suppose I could add a rule to allow traffic from that address to my firewall, which might actually bring up the VPN, but it just seems *wrong* to leave it that way. I am hoping I can get it to work with the proper external address of the cluster. I will try this, anyway, to see if we can get traffic flowing. Cheers! Jeff LaCoursiere Infrastructure Specialist T-Motion -----Original Message----- From: Jim MacLeod [mailto:[email protected]] Sent: Monday, January 28, 2002 5:26 PM To: [email protected] Subject: Re: [FW-1] Checkpoint VPN trouble Hi Jeff, It sounds like: 1) Their firewalls are using the wrong source IP address. This is usually as OS-specific issue. It can obviously be very bad if it's private address space (e.g. RFC 1918). 2) They might have the internal addresses of their firewalls as the primary IP in their firewall objects, but again it's more likely an OS issue. Try adding their addresses to the "interfaces" tab for their object on your firewall. This was semi-standard procedure for the first release of Gateway Clusters on FW-1. FWIW, it shouldn't matter which IP address they've licensed AFAIK. Regards, Jim MacLeod At 07:22 AM 1/28/2002, Jeff LaCoursiere wrote: >I am trying to establish a VPN with another company. Checkpoint/Solaris >on our side, dual Checkpoint/AIX(?) in a cluster on their side. Rules are >setup as I have for other working VPN's, and an attempt to connect through >the VPN causes key exchange packets to be sent from our side (I see with >tcpdump). > >The return packets, however, have a source address of the internal >interface of the remote firewall, rather than the expected external >address. Does anyone know why this occurs? They claim to have licensed >the internal address on the remote side. > >TIA, > >Jeff LaCoursiere >Infrastructure Specialist >T-Motion > >================================================= >To set vacation, Out Of Office, or away messages, >send an email to [email protected] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[email protected] >================================================= Jim MacLeod FireWall-1 and network security consultant, San Francisco Bay area [email protected],================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|