[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] routing between two irregular addresses

To: fw-1-mailinglist@lists.us.checkpoint.com
Subject: [FW1] routing between two irregular addresses
From: Andreas Schmidt-Klieber <ask@terma.com>
Date: Mon, 01 Nov 1999 10:11:44 +0100
CC: ask@terma.com
Organization: TERMA Elektronik AS
ReSent-Date: Wed, 10 Nov 1999 14:15:21 -0900 (AKST)
ReSent-From: Mail account <mailarch@shmoo.com>
ReSent-Message-ID: <Pine.BSF.4.05.9911101415210.10822@archimedes.shmoo.com>
ReSent-Subject: [FW1] routing between two irregular addresses
ReSent-To: mailarch@shmoo.com
Sender: owner-fw-1-mailinglist@lists.us.checkpoint.com

Hi, I got a question concerning FW1 VPN between to different non
routable addresses.
We try to run VPN between two different networks which both use
irregular address spaces.
Both Firewalls are Solaris boxes. The scenario is the following:

internal 192.168.x.x net
        |
        |
(internal illegal interface of FW A)
Firewall A (FW1 4.0) with VPN
(external legal interface of FW A)
        |
        |
   ISP router A
        |
        |
    Internet
        |
        |
    ISP router B
        |
        |
(external legal interface of FW B)
 Firewall B with VPN (FW1 4.0)
(internal illegal interface of FW B)
        |
        |
internal 10.100.x.x net

Both firewalls are running VPN in tunnelling mode without NAT as long as
they communicate
within the VPN.
If I try to ping from the 10.100.x.x net to a host on the 192.168.x.x
my unterstanding is that
FW1 software for the outbound connection works its way through the
software stack in the following order:

FW B:
1. check properties and anti spoofing (rule 0)
2. check security policy
3. OS routing
4. NAT and on the wire to Internet

FW A:
1. check properties and anti spoofing (rule 0)
2. check security policy
3. OS routing
4. NAT and on the wire LAN


Now my questions:
1. Can anybody give me a clue where encription takes place?

2. The 10.100.x.x network has no interface to the 192.168.x.x network
    and vice versa except in the FW1 network objects definition.
    Since we try to establish a tunnel between none routable addresses
    (10.x.x.x and 192.168.x.x) is it necessary to configure
    a manual (virtual) route which says

    on FW B:
    route add net 192.168.x.x  ISP-router B 1
    on FW A:
    route add net 10.x.x.x  ISP-router A 1

    note: I could call this a virual route due to the circumstances that
we run VPN between the
    two firewalled gateways, meaning the packet will never leave the
Firewall with a
    destination to 192.168.x.x but the OS routing sees the packet before
it gets encrypted.

I would appreciate any comment!

begin:vcard 
n:Schmidt-Klieber;Andreas
tel;cell:+45 21 209205
tel;fax:+45 45 949888
tel;work:+45 45 949893
x-mozilla-html:FALSE
url:http://www.terma.com
org:TERMA Elektronik AS;Info Systems Division
adr:;;Bregnerodvej 144;DK 3460 Birkerod;;;Denmark
version:2.1
email;internet:ask@terma.com
title:senior systems engineer
fn:Andreas Schmidt-Klieber
end:vcard

Prev by Date: [FW1] SMTP Security Server
Next by Date: [FW1] Websense and HTTP security server
Prev by thread: RE: [FW1] SMTP Security Server
Next by thread: [FW1] Websense and HTTP security server
Index(es):
- Date
- Thread