[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Overlapping encryption domains problem!

To: [email protected]
Subject: Re: [FW-1] Overlapping encryption domains problem!
From: [email protected]
Date: Mon, 2 Sep 2002 12:39:19 +0100
Reply-To: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

overlapping encryption domains

I had this problem with a solution is was asked to look at.  I found that the
Administrator had NAT the secondary cluster to the address used for the VPN
connection to the primary web facing cluster so the encryption domains then
overlap.

Hope this helps.

Russ



|--------+----------------------->
|        |          Mat�as       |
|        |          Bevilacqua   |
|        |          Trabado      |
|        |          <matias@ESCER|
|        |          T.UPC.ES>    |
|        |                       |
|        |          02/09/2002   |
|        |          10:34        |
|        |          Please       |
|        |          respond to   |
|        |          Mailing list |
|        |          for          |
|        |          discussion of|
|        |          Firewall-1   |
|        |                       |
|--------+----------------------->
  >----------------------------------------------------------------------------|
  |                                                                            |
  |       To:     [email protected]                 |
  |       cc:     (bcc: Russell George/Hatfield/CCenter)                       |
  |       Subject:     [FW-1] Overlapping encryption domains problem!          |
  >----------------------------------------------------------------------------|





Hi everyone!

I have a problem with overlapping encryption domains which I simply don't
understand.

The setting is the following:

2 Clusters each made up of 2 nodes running FW-1 NG-FP1 & Stonebeat 3.0
1 Management console (FW-1 NG-FP1 too) which manages BOTH clusters.

This is no MEP configuration, each cluster gives access to a different
network.
The problem is that if I create a domain encryption for each network and
select "Exportable for Securemote" in the topology of both clusters I can't
add any site to my Securemote clients because I get the "Overlapping
encryption domain" error on my client.

If I deselect "Exportable for Securemote" on one of the gateways there is no
longer an Overlapping domain error but the cluster in which I have
deselected the option no longer works. My client no longer tries to encrypt
traffic sent to that network.

I know that FW-1 includes all interfaces from each node in the encryption
domain when I select "Exportable for Securemote" and that is why I get the
"Overlapping encryption domain" error. I could change for example the sync.
networks on one cluster but I can't change the network through wich _both_
clusters talk with my management console! I don't understand why Checkpoint
designed Encryption Domains like this... is my configuration not possible?

I know I could end up creating a users.C file by hand but distributing that
to mi Securemote clients would be a pain, is there no "correct" way to set
up this configuration?

Thank you very much!
Mat�as Bevilacqua Trabado.

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================





COMPUTACENTER (UK) LTD

The contents of this e-mail are intended for the named addressee only.
It contains information which may be confidential and which may also be privileged.
Unless you are the named addressee (or authorised to receive
for the addressee) you may not copy or use it, or disclose it to anyone
else. If you received it in error please notify us immediately and then
destroy it.

Computacenter information is available from http://www.computacenter.com

This footnote also confirms that this email message has been swept for the presence of computer viruses.

***************************************************************************************************************************

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: Re: [FW-1] VPN between Netscreen 5xp and FW-1 4.1 SP5
Next by Date: [FW-1] UNSUBSCRIBE fw-1-mailinglist
Prev by thread: [FW-1] Overlapping encryption domains problem!
Next by thread: [FW-1] unification process failure
Index(es):
- Date
- Thread