[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] VPN-1

To: "'jgonzalez@amadeus.net'" <jgonzalez@amadeus.net>, fw-1-mailinglist@lists.us.checkpoint.com
Subject: RE: [FW1] VPN-1
From: Frank Knobbe at Home <FKnobbe@Home.com>
Date: Wed, 3 Nov 1999 12:06:19 -0600
ReSent-Date: Wed, 10 Nov 1999 14:15:46 -0900 (AKST)
ReSent-From: Mail account <mailarch@shmoo.com>
ReSent-Message-ID: <Pine.BSF.4.05.9911101415460.10822@archimedes.shmoo.com>
ReSent-Subject: RE: [FW1] VPN-1
ReSent-To: mailarch@shmoo.com
Sender: owner-fw-1-mailinglist@lists.us.checkpoint.com


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have VPN's between networks using IPSEC with the ISAKMP key
exchange. I have four rules:

FW-A-Ext   FW-B-Ext     IPSEC   Accept
FW-B-Ext   FW-A-Ext     IPSEC   Accept
A-Devices  B-Devices    Any     AcceptEncrypt
B-Devices  A-Devices    Any     AcceptEncrypt

FW-x-Ext is the object for the firewalls with their external IP
address, encryption schemes, etc.
x-Devices is a group that contains internal network objects and
object definitions of machines with a static NAT address. I use this
group as the encryption domain for each firewall.

I thought that the first two rules are redundant and FW-1 will allow
IPSEC automatically because of the encryption specified in rules 3+4.
However, with those missing or disabled nothing works. So yes,
apparently you need a rule for the encryption protocols (IPSEC in
this case) and a rule for the encrypted traffic flow.

Regards,
Frank

> -----Original Message-----
> From: jgonzalez@amadeus.net [mailto:jgonzalez@amadeus.net]
> Sent: Tuesday, November 02, 1999 10:10 AM
> 
> It's necessary to create an special rule between two VPN-1 in order
> to interchange encrypt keys, or it's enough with one Action=Encrypt
> rule between encryption domains?? 
 

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME (X.509) encrypted email preferred.

iQA/AwUBOCB5mkRKym0LjhFcEQI7DgCdEC4+aCYhF5tWbc4vjHD0SYBBmlgAoLMa
YfGkNwsf/UMlhWv+JdBnzKIR
=1KVp
-----END PGP SIGNATURE-----


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] IPSEC
Next by Date: Re: [FW1] [FW] reboot during "Kernel Install"
Prev by thread: [FW1] IPSEC
Next by thread: [FW1] VPN-1
Index(es):
- Date
- Thread