Re: [FW-1] overlapping encryption domains

["Reznik, David" <David.Reznik@FW1-NOSPAMG-TRADE.COM>]

Title: Message

You are correct. Gateway clusters do stick their interfaces into the encryption domain.

What I had to do to resolve this issue is this..

Create separate networks for each nokia (physical interface) and gateway clusters (sync networks). �172.25.1.1/30�� 172.25.1.4/30 and so on…

 

-----Original Message-----
From: ARNOR@ejs.is [mailto:ARNOR@ejs.is]
Sent: Sunday, November 10, 2002 3:18 PM
To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Cc: David.Reznik@G-TRADE.COM
Subject: RE: [FW-1] overlapping encryption domains

 

David,

 

I had a similar problem,

 

If I understand it correctly you have 4 clusters, and they have one (or more) network(s) that is connected to some or all of them.

Lets say Cluster 1 has IP 172.25.1.1 and Cluster 2 has IP 172.25.1.254 on the same 'physical' network.

 

The source of the problem is that NG puts all interfaces of its Gateway automatically in the encryption domain.

So if Cluster 1 has the 172.25.1.0-network included in it's encryption domain, but Cluster 2 does not have it in it's encryption domain, you will still get this 'overlapping encryption domain'-error becuse cluster 2 has automatically put the address 172.25.1.254 in the encryption domain.

 

The solution is to make an address range - 172.25.1.1-172.25.1.253 (exluding 172.25.1.254) and put this address range in the encryption domain for Cluster 1 instead of the whole network.

 

Arnor Arnason

EJS

Iceland

-----Original Message-----
From: Reznik, David [mailto:David.Reznik@G-TRADE.COM]
Sent: 4. n�vember 2002 03:19
To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Subject: [FW-1] overlapping encryption domains

Does anyone here know how to resolve this problem. Vpn client goes to fetch a topology from an NGFP2 Gateway authenticates and then gets an error message overlapping encryption domain.

The Scenario is this

4 sites each one protected by Gateway Cluster. All sites are interconnected via internal Lan. Encryption Domain for each site is a group of networks protected by the NG gateway. Example GatewayCluster1 (network 172.16.1.x, 172.16.2.x) and so on. 3 of the sites are NGFP2 and one Site 4.1 sp6. NG generates this error message. However 4.1 is not a problem. I can fetch a topology from 4.1 without a problem. This was working fine prior to upgrade.

 

Any ideas ???

 

"The information in this e-mail, and any attachment therein, is
confidential and for use by the addressee only. If you are not the
intended recipient, please return the e-mail to the sender and delete
it from your computer. Although The Bank of New York attempts to
sweep e-mail and attachments for viruses, it does not guarantee that
either are virus-free and accepts no liability for any damage sustained
as a result of viruses."

"The information in this e-mail, and any attachment therein, is

confidential and for use by the addressee only. If you are not the

intended recipient, please return the e-mail to the sender and delete

it from your computer. Although The Bank of New York attempts to

sweep e-mail and attachments for viruses, it does not guarantee that

either are virus-free and accepts no liability for any damage sustained

as a result of viruses."