Hmm.
I'm
far from being the SecureRemote expert over here. In theory it might be
possible, but it probably depends quite a bit on (1) exactly what traffic is
going through the VPN (does traffic from Network A destined for Firewall B's
external IP go through the VPN tunnel?) and what kind of NAT is going
on.
For
example: Suppose User A is hide-NATed behind Firewall A's external IP, and
suppose that traffic from Network A (internal) to Firewall B's external IP does
*not* go through the VPN (pretty common--usually a LAN-to-LAN VPN is set up to
faciliate traffic between devices behind the firewalls, not between workstations
and an outside interface of one of the firewalls). If you have this setup,
User A, in attempting to set up a VPN with Firewall B, talks directly to
Firewall B's external IP. However, Firewall B sees the source of this
(VPN) traffic as being Firewall A's external IP. It already has rules for
handling VPN traffic from Firewall A's external IP and an existing, live tunnel
to boot.
What
do you suppose Firewall B does in this example? I don't know for sure, but
I'm betting it won't be working communication with User A. I'm thinking it
will either dump the communication because it clashes with the existing tunnel,
get caught up in the Firewall A <-> Firewall B rulesets and
eventually vanish, or... well, you get the idea.
So I
guess a good answer to your question would probably depend quite a bit on the
specifics of the existing VPN setup as well as the NAT rules that impact
it. I think one probably could set up a VPN in a VPN (heaven forbid), but
only if the 'outermost' tunnel and NAT rules were set up fairly precisely to
allow it.
User behind firewall
A is trying to establish a VPN to the firewall at location B so
that he can access machines on the B network. If Firewall A and B already have an
established tunnel, is it possible for a client using SecureRemote on the A
network to do this? Basically it's a VPN within a
VPN.
Matt
Can you clarify something... user is in location A, there is a
checkpoint-to-checkpoint VPN from location A to location B, user has
SecureRemote in location A... what is the endpoint of the desired
SecureRemote connection? The Checkpoint at location B? Or
something else?
This might sound like a funny question, but can a
SecureRemote VPN work through an existing checkpoint to checkpoint
VPN? According to the logs, the UDP IKE connection is not getting
through to the client because it is dropped under the 'Encrypt
rule'.
I'm trying to figure this out because I'm supporting users who
don't want to simply "disable" secureremote behind the firewall. I
know it sounds dumb.
I'm using build 4199 and the two firewalls in question are firewall
4.1 SP3 running on Nokias.
Any help would be appreciated.
Thanks!!
Matt
|