[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] VPN problems.Please help.

To: D330 SCHsu <SCHSU@winbond.com.tw>, Mike Lee <mlee@onesecure.com>, Bradley Tate <btate@objectmastery.com>, fw-1-mailinglist@lists.us.checkpoint.com
Subject: RE: [FW1] VPN problems.Please help.
From: Chris H <cghoerichs@yahoo.com>
Date: Tue, 30 Nov 1999 14:46:16 -0800 (PST)
Cc: D410 LTHuang <LTHUANG@winbond.com.tw>


While it is supported, as far as I have been able to
setup and configure, the only time encapsulation is
available with FWZ is for SecuRemote to the FW.  What
I have done is setup static NATs for all devices that
each site wants to communicate with.  That may not be
an option if you have alot of things that you want to
utilize on both ends.  I have had to set it up a lot
because of encryption exportation stuff.

Chris

--- D330 SCHsu <SCHSU@winbond.com.tw> wrote:
> 
> FWZ encapsulation is supported by version 3.0a and
> higher. Please refer to
> VP-94.
> 
> Bradley, I have two suggestions to you.
> 
> 1. Check the encryption domain setting. I think it's
> most possible.
> 2. Check the rule sequence. Please refer to VP-22.
> 
> -----Original Message-----
> From: Mike Lee [mailto:mlee@onesecure.com]
> Sent: Friday, November 26, 1999 11:35 AM
> To: Bradley Tate
> Cc: fw-1-mailinglist@lists.us.checkpoint.com
> Subject: Re: [FW1] VPN problems.Please help.
> 
> 
> 
> Bradley,
> 
> you may be better off using either SKIP or
> ISAKMP/OAKLEY if you want to do
> encapsulated VPN.
> 
> as far as i know, fwz encryption doesn't touch the
> ip header, leaving the
> source address as illegal.
> 
> SKIP and ISAKMP/OAKLEY encapsulates the whole packet
> and adds additional ip
> header with legal ip(your fw's external ip) so you
> won't have any routing
> issue.
> 
> hope it helps.
> 
> mike
> ------------------------------------
> Sigh. I'm suffering from a severe conceptual block
> and hoping someone
> can help me. I've had two NT Firewall/1s running
> with hidden and static
> NAT at different sites for a while, largely to
> provide internet access
> for internal users and a bit of access to our DNS
> and Web server on a
> DMZ. The main networks behind the Firewall are using
> illegal addresses
> in the 192.168. range. So far so good.
> 
> Now I want to create a VPN tunnel (I think?) to
> provide transparent
> access between these remote illegal LANs and I can't
> make it work. I've
> tried knocking out address translation to tidy
> things up for testing but
> that didn't seem to help.
> 
> illegal internal network A (192.168.1.0)
> ---------------------
> FW A external legal address
> =====================
>            |
>       Internet
>            |
> =====================
> FW B external legal address
> ---------------------
> illegal internal network B  (192.168.2.0)
> 
> I've installed the FWZ encryption modules at each
> end, swapped keys
> between the two gateways, set up encryption domains
> and created rules
> like
> 
> NetA     NetB     Any    Enc
> NetB     NetA     Any    Enc
> 
> Nothing happens. Am I trying to do something which
> is fundamentally
> undoable? Am I looking at this the wrong way? Is FWZ
> capable of doing
> this, or would I need to use ISAKMP/OAKLEY? Are
> there routing issues
> here I'm not catering for?
> 
> Sorry if I'm not providing enought information for
> you, but I've been
> chasing my tail on this till I don't even know what
> I need to know to do
> it.
> 
> Regards and thanks for any suggestions,
> 
> Bradley Tate.
> 
> 
> 
> 
>
============================================================================
> ====
>      To unsubscribe from this mailing list, please
> see the instructions at
>               
> http://www.checkpoint.com/services/mailing.html
>
============================================================================
> ====
> 
> 
>
================================================================================
>      To unsubscribe from this mailing list, please
> see the instructions at
>               
> http://www.checkpoint.com/services/mailing.html
>
================================================================================
> 



=====
Chris
__________________________________________________
Do You Yahoo!?
Thousands of Stores.  Millions of Products.  All in one place.
Yahoo! Shopping: http://shopping.yahoo.com


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] secuRemote help
Next by Date: RE: [FW1] NT4SP6
Prev by thread: RE: [FW1] VPN problems.Please help.
Next by thread: [FW1] fwd daemon frequently going down
Index(es):
- Date
- Thread