[FW-1] Questions about IKE VPN setup/FW objects on Nokia w/ GW clusters

[Jim Burwell <jimb@FW1-NOSPAMBROADVISION.COM>]

Hi..

I'm about to swing an IKE VPN over from one firewall to another firewall
running VPN-1 4.1 on a pair of Nokia boxes in fail over mode.  The new
firewalls are configured with VRRP and synchronization turned on, etc.

According to what I've read, I know I need to set up a gateway cluster
object, using the external VRRP address as the GW cluster IP, and put
both of the firewalls into this object, etc.  I'm concerned about the
current configuration of the firewall objects, and whether they will
pose problems when I try to set up the IKE VPN.

The firewall objects have their IP addresses defined as the internal
interface of the firewall (which are RFC-1918 10.x addresses).  However,
the firewalls' hostname matches the IP address in /etc/hosts
corresponding to the external IP address of the firewalls.  According to
the documentation I've read, having the hostname of the firewall match
the external IP of the firewall is a must for VPNs to work correctly.
But do the firewall objects also have to be defined using the
firewall's external IPs ?  Or, can I leave them alone and keep using the
internal IPs ?

If I have to change the FW objects' IP addresses, what should I look out
for ?  I'm assuming I'll have to do new putkeys, etc, before I
re-install the policy ?

TIA, Jim

=================================================
To set vacation, Out Of Office, or away messages,
send an email to LISTSERV@lists.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================