[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] Questions about IKE VPN setup/FW objects on Nokia w/ GW clusters
Hi.. I'm about to swing an IKE VPN over from one firewall to another firewall running VPN-1 4.1 on a pair of Nokia boxes in fail over mode. The new firewalls are configured with VRRP and synchronization turned on, etc. According to what I've read, I know I need to set up a gateway cluster object, using the external VRRP address as the GW cluster IP, and put both of the firewalls into this object, etc. I'm concerned about the current configuration of the firewall objects, and whether they will pose problems when I try to set up the IKE VPN. The firewall objects have their IP addresses defined as the internal interface of the firewall (which are RFC-1918 10.x addresses). However, the firewalls' hostname matches the IP address in /etc/hosts corresponding to the external IP address of the firewalls. According to the documentation I've read, having the hostname of the firewall match the external IP of the firewall is a must for VPNs to work correctly. But do the firewall objects also have to be defined using the firewall's external IPs ? Or, can I leave them alone and keep using the internal IPs ? If I have to change the FW objects' IP addresses, what should I look out for ? I'm assuming I'll have to do new putkeys, etc, before I re-install the policy ? TIA, Jim ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|