|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Checkpoint VPN trouble
Jeff, I have worked through this issue here. Check that the remote end has :IPsec_cluster_nat (true) in their objects.C defined for their gateway object. There is a phoneboy on it ... "How to setup a High Availability VPN" FireWall-1 4.1 SP3 and later have a feature that will force FireWall-1 to only use the Gateway Cluster IP address when it originates packets. This will be necessary when UDP Encapsulation is used or when talking to a third-party VPN endpoint. To enable this feature in 4.1 SP3 or SP4, add the following line to the :props ( section of objects.C (For guidelines on editing objects.C, see How do I Edit Objects.C?). :IPSec_cluster_nat (true) Also, this is the default behavior at I think SP5. One thing that confused us for a long time was when we looked in the log it still showed our internal RFC address. But once we ran snoops we saw that our internal RFC was getting NAT'd to our Gateway Cluster address. The log was just misleading. Good luck, Donna Jeff LaCoursiere <[email protected]> @beethoven.us.checkpoint.com> on 01-28-2002 10:22:00 AM Please respond to Mailing list for discussion of Firewall-1 <[email protected]> Sent by: Mailing list for discussion of Firewall-1 <[email protected]> To: [email protected] cc: Subject: [FW-1] Checkpoint VPN trouble I am trying to establish a VPN with another company. Checkpoint/Solaris on our side, dual Checkpoint/AIX(?) in a cluster on their side. Rules are setup as I have for other working VPN's, and an attempt to connect through the VPN causes key exchange packets to be sent from our side (I see with tcpdump). The return packets, however, have a source address of the internal interface of the remote firewall, rather than the expected external address. Does anyone know why this occurs? They claim to have licensed the internal address on the remote side. TIA, Jeff LaCoursiere Infrastructure Specialist T-Motion ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
