Hi All
I have a very interesting problem. I would really appreciate
if somebody help me out.
We have a corporate VPN between 5 offices. We are using Checkpoint
4.1 on Windows NT. The Management console is at the head office from where we
control all the other firewalls. The problem in question relates to a office,
let us call that office A.
Office A has two FWs. One FW is used for VPNs between
offices and another Checkpoint firewall to have VPNs with partners. The
network interfaces on these two
Office A FWs are completely
different. Since the client FW needs access to Office A internal network, we
have used a router to do this. The router was necessary because the two
interfaces on two firewalls are in separate networks.
Office A encryption domain contains 2 networks. Let's
call them network A and B. This encryption domain is used on Office A FW to
establish VPNs with other offices.
Now the problem is that as soon as I use the same encryption
domain on Office A - Client FW, it breaks the VPN with Office A and other
offices. This does not look like an
overlapping encryption domain problem because the encryption domain is
used on two different firewalls and there is no VPN between those two
firewalls.
As soon as I remove a network from the encryption domain and
disable encryption on OfficeA- Client FW, the VPN between offices works fine.
I also tried defining a totally different encryption domain
for OfficeA-Client FW which includes the same network A and B as does the
Office A encryption domain. It did not work also. Same problem.
I would really appreciate your help in solving this problem.
^
|
| goes to Internal network
-------------------------
|
|
| Headoffice FW |
|
|
-------------------------
| This interface goes to ISP, have legal IP address
|
|
|
-----------------------------------------------------
|
|
|
|
-------------
-------------
|
| --------
|
|
| Office A
|---------- | Router | ----------|
Office A
|------- DMZ
| FW |
--------
| Client FW |
--------------
------------
| Office A internal network
|
|
|
|
|
| VPN with the client
through this interface
Thanks