Re: [FW-1] vpn/securemote question.

[Julian.Burton@FW1-NOSPAMZENITH-INSURANCE.CO.UK]

You will need to create a 'site' on the SR client to site B, which will
download the topo as specified in site B's encryption domain.
This will give you a VPN to site A and a second VPN to site B.
On site B's fw you will have to set up a user account etc.  If you set up
the same UID and pw as you did on site A then the SR client can tick the
'remember password' checkbox.  This should (although it does not in my
experience) remember the pw the user entered when authenticating site A and
send it to site B.

If you use something like SecurID then things get more complicated - good
luck if you do - you're out of my experience there!

Julan Burton



|---------+-------------------------------------------->
|         |           Ulysees <Ulysees@ULYSEES.COM>    |
|         |           Sent by: Mailing list for        |
|         |           discussion of Firewall-1         |
|         |           <FW-1-MAILINGLIST@AMADEUS.US.CHEC|
|         |           KPOINT.COM>                      |
|         |                                            |
|         |                                            |
|         |           03/10/2003 18:56                 |
|         |           Please respond to Mailing list   |
|         |           for discussion of Firewall-1     |
|         |                                            |
|---------+-------------------------------------------->
  >-----------------------------------------------------------------------------------------------------------------|
  |                                                                                                                 |
  |       To:       FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM                                                      |
  |       cc:                                                                                                       |
  |       Subject:  [FW-1] vpn/securemote question.                                                                 |
  >-----------------------------------------------------------------------------------------------------------------|




I've been racking my brains for a few hours on a rulebase to do this and I
can't get it to work.
2 sites running NG FP3 hf2+ssl, vpn set up between the 2 of them using a
community and limited traffic flowing between the 2 of them.
I have some securemote users off site A who access exchange & a few other
things as they roam.

Some of that traffic is not allowed in the VPN between site A & site B as
it
would saturate the link between them,
however I want any of my securemote users to be able to roam onto the B
network and access the services they would normally access via securemote
from there.

I thought it'd be a case that Securemote authenticates to the firewall at
site A and establishes a tunnel to it (have allowed that in the rulebase on
B),
however in the fw log on site A I get "Encryption failure: Different
community ID, possible NAT problem (VPN Error code 02)" on the ike rule
The Nat rules that apply are
allinternalnets to allinternalnets = original to original
net A to any = FW A(hide) to original
net B to any = FW B(hide) to original

Anybody got any ideas where it's going wrong or a better way of doing it ?

Uly

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================

________________________________________________________________________
This e-mail has been scanned for all viruses by Star Internet.







**********************************************************************
Zenith Insurance Management Limited    Registered No. 3805632
Registered @ Zenith House, Market Place, Haywards Heath,
West Sus, RH16 1DB.

NOTICE:
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the postmaster@zenith-insurance.co.uk and delete the message
and any attachments accompanying it immediately.

**********************************************************************


________________________________________________________________________
This e-mail has been scanned for all viruses by Star Internet.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================