[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] Overlapping encryption domains problem!

To: [email protected]
Subject: [FW-1] Overlapping encryption domains problem!
From: Mat�as Bevilacqua Trabado <[email protected]>
Date: Mon, 2 Sep 2002 11:34:50 +0200
Importance: Normal
Reply-To: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Hi everyone!

I have a problem with overlapping encryption domains which I simply don't
understand.

The setting is the following:

2 Clusters each made up of 2 nodes running FW-1 NG-FP1 & Stonebeat 3.0
1 Management console (FW-1 NG-FP1 too) which manages BOTH clusters.

This is no MEP configuration, each cluster gives access to a different
network.
The problem is that if I create a domain encryption for each network and
select "Exportable for Securemote" in the topology of both clusters I can't
add any site to my Securemote clients because I get the "Overlapping
encryption domain" error on my client.

If I deselect "Exportable for Securemote" on one of the gateways there is no
longer an Overlapping domain error but the cluster in which I have
deselected the option no longer works. My client no longer tries to encrypt
traffic sent to that network.

I know that FW-1 includes all interfaces from each node in the encryption
domain when I select "Exportable for Securemote" and that is why I get the
"Overlapping encryption domain" error. I could change for example the sync.
networks on one cluster but I can't change the network through wich _both_
clusters talk with my management console! I don't understand why Checkpoint
designed Encryption Domains like this... is my configuration not possible?

I know I could end up creating a users.C file by hand but distributing that
to mi Securemote clients would be a pain, is there no "correct" way to set
up this configuration?

Thank you very much!
Mat�as Bevilacqua Trabado.

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: [FW-1] FW-1 and tunneling software
Next by Date: [FW-1] unification process failure
Prev by thread: [FW-1] FW-1 and tunneling software
Next by thread: Re: [FW-1] Overlapping encryption domains problem!
Index(es):
- Date
- Thread