Hi All
I have a very interesting problem. I would really appreciate
if somebody help me out.
We have a corporate VPN between 5 offices. We are using
Checkpoint 4.1 on Windows NT. The Management console is at the head office from
where we control all the other firewalls. The problem in question relates to a office, let us call that office A.
Office A has two FWs. One FW is
used for VPNs between offices and another Checkpoint
firewall to have VPNs with partners. The network interfaces
on these two Office A FWs are completely different. Since the
client FW needs access to Office A internal network,
we have used a router to do this. The router was necessary because the two
interfaces on two firewalls are in separate networks.
Office A encryption domain contains
2 networks. Let's call them network A and B. This encryption domain is
used on Office A FW to establish VPNs
with other offices.
Now the problem is that as soon as I use the same encryption
domain on Office A - Client FW, it breaks the VPN with Office A and other
offices. This does not look like an overlapping encryption domain problem
because the encryption domain is used on two different firewalls and there is
no VPN between those two firewalls.
As soon as I remove a network from the encryption domain and
disable encryption on OfficeA- Client FW, the VPN
between offices works fine.
I also tried defining a totally different encryption domain for
OfficeA-Client FW which includes the same network A
and B as does the Office A encryption domain. It did
not work also. Same problem.
I would really appreciate your help in solving this problem.
^
|
| goes to Internal
network
-------------------------
|
|
| Headoffice FW |
|
|
-------------------------
| This interface goes to ISP, have legal IP address
|
|
|
-----------------------------------------------------
|
|
| |
-------------
-------------
| |
--------
| |
| Office A |---------- |
Router | ----------| Office A |------- DMZ
| FW |
--------
| Client FW |
--------------
------------
| Office A internal network
|
| |
|
|
|
VPN with the client
through this
interface
Thanks
Wajid Khan