Re: VPN problem - encryption domain confusion beetween 2 firewalls

VPN domain cannot overlap, unless you are using all these
firewalls in a cluster mode such as clusterXL.

whatver network segements you have in encrydoamin1 should
not exist in encryption2, tis is the cleanest way to do it.

If you really need to overlap networks segment then you need
to do some fancy NAT(network address translation) and most
of the problems are usually routing or nat or both.
.

----- Original Message ----
From: Cihan Subasi <CihanSGARANTI.COM.TR>
To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
Sent: Monday, August 27, 2007 6:21:32 AM
Subject: Re: [FW-1] VPN problem - encryption domain
confusion beetween 2 firewalls


hi all,

we have 2 firewalls managed by the same management , fw1 is
our public
vpn peer that we usually use for internet vpns and has an
encrytion
domain Ecnrytiondomain1, now we need to do another vpn from
FW2 to FW3
over internet again. But as soon as we select VPN under the
check point
products windows and assign an encrytion domain and install
FW2, the
access of the ip addresses that are in the FW1's encrytion
domain
(encrytiondomain1) loses the connectivity (access) to FW2.
We have tried
to create a group with exclusion, we tried empty encryption
domian for
FW2 none of them worked for us. when an ip address that is
for of the
FW1's encryption domain accesses with telnet ssh or icmp to
FW2, in the
logs we see a DROP with "clear text message, packet
must be encryted"
messages...

Any clue or idea why this is happening. thanks


***********************************************************
Cihan SUBASI
Garanti Technology
Internet ve Yazilim Hizmetleri
Tel:(90)(212)4783426 GSM:(90)(533)(2750353)
Fax:(90)(212)6576150
http://www.garantite
chnology.com <http://www.gara
ntitechnology.com/> 
mailto:cihansgaranti.com.tr 
Success is a wonderful thing, but never underestimate the
value of
failure. Failure teaches many more things than success ever
can. 
*********************************************************** 




This message and attachments are confidential and intended
solely for the individual(s) stated in this
message. If you received this message although you are not
the addressee, you are responsible to keep the
message confidential. The sender has no responsibility for
the accuracy or correctness of the
information in the message and its attachments. Our company
shall have no liability for any changes
or late receiving, loss of integrity and confidentiality,
viruses and any damages caused in
anyway to your computer system.


Bu mesaj ve ekleri, mesajda gonderildigi belirtilen
kisi/kisilere ozeldir ve gizlidir. Bu mesajin muhatabi
olmamaniza ragmen tarafiniza ulasmis olmasi halinde mesaj
iceriginin gizliligi ve bu gizlilik yukumlulugune
uyulmasi zorunlulugu tarafiniz icin de soz konusudur. Mesaj
ve eklerinde yer alan bilgilerin dogrulugu ve
guncelligi konusunda gonderenin ya da sirketimizin herhangi
bir sorumlulugu bulunmamaktadir. Sirketimiz
mesajin ve bilgilerinin size degisiklige ugrayarak veya gec
ulasmasindan, butunlugunun ve gizliliginin
korunamamasindan, virus icermesinden ve bilgisayar
sisteminize verebilecegi herhangi bir zarardan
sorumlu tutulamaz.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================


     
____________________________________________________________
________________________
Luggage? GPS? Comic books? 
Check out fitting gifts for grads at Yahoo! Search
http://search.yahoo.com/search?fr=
oni_on_mail&p=graduation+gifts&cs=bz

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

On Tue, 28 Aug 2007, no-need to-list wrote:

> VPN domain cannot overlap, unless you are using all
these firewalls in a cluster mode such as clusterXL.

whatver network segements you have in encrydoamin1 should
not exist in encryption2, tis is the cleanest way to do it.

If you really need to overlap networks segment then you need
to do some fancy NAT(network address translation) and most
of the problems are usually routing or nat or both.

Or look into the concept of MEP. It allows multiple
firewalls under common 
management to share the encryption domain and allow the user
or admin to 
determine through which gateway you can enter the network.

Hugo.

-- 
 	hvdkooijvanderkooij.org	http://hugo.vanderkooij.
org/
 	    This message is using 100% recycled electrons.

 	Some men see computers as they are and say
"Windows"
 	I use computers with Linux and say "Why
Windows?"
 	(Thanks JFK, for this quote of George Bernard Shaw.)

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

The encryption domains do not overlap at all but both
firewall have 2
interfaces in two different shared network (management and
internal)
and the inmternal network in the encryption domain of FW1
not FW2, but
when those ip addresses try to access to FW2 and its
encrypytion domain
(encrytiondomain2) we get the error from rule 0 sayin that
those packets
need to be encrypted...


 

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]
On Behalf Of Hugo
van der Kooij
Sent: Tuesday, August 28, 2007 9:14 PM
To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] VPN problem - encryption domain
confusion beetween 2
firewalls

On Tue, 28 Aug 2007, no-need to-list wrote:

> VPN domain cannot overlap, unless you are using all
these firewalls in
a cluster mode such as clusterXL.

whatver network segements you have in encrydoamin1 should
not exist in
encryption2, tis is the cleanest way to do it.

If you really need to overlap networks segment then you need
to do some
fancy NAT(network address translation) and most of the
problems are
usually routing or nat or both.

Or look into the concept of MEP. It allows multiple
firewalls under
common management to share the encryption domain and allow
the user or
admin to determine through which gateway you can enter the
network.

Hugo.

-- 
 	hvdkooijvanderkooij.org	http://hugo.vanderkooij.
org/
 	    This message is using 100% recycled electrons.

 	Some men see computers as they are and say
"Windows"
 	I use computers with Linux and say "Why
Windows?"
 	(Thanks JFK, for this quote of George Bernard Shaw.)

=================================================
To set vacation, Out-Of-Office, or away messages, send an
email to
LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription
options,
email fw-1-ownerts.checkpoint.com
=================================================

This message and attachments are confidential and intended
solely for the individual(s) stated in this
message. If you received this message although you are not
the addressee, you are responsible to keep the
message confidential. The sender has no responsibility for
the accuracy or correctness of the
information in the message and its attachments. Our company
shall have no liability for any changes
or late receiving, loss of integrity and confidentiality,
viruses and any damages caused in
anyway to your computer system.


Bu mesaj ve ekleri, mesajda gonderildigi belirtilen
kisi/kisilere ozeldir ve gizlidir. Bu mesajin muhatabi
olmamaniza ragmen tarafiniza ulasmis olmasi halinde mesaj
iceriginin gizliligi ve bu gizlilik yukumlulugune
uyulmasi zorunlulugu tarafiniz icin de soz konusudur. Mesaj
ve eklerinde yer alan bilgilerin dogrulugu ve
guncelligi konusunda gonderenin ya da sirketimizin herhangi
bir sorumlulugu bulunmamaktadir. Sirketimiz
mesajin ve bilgilerinin size degisiklige ugrayarak veya gec
ulasmasindan, butunlugunun ve gizliliginin
korunamamasindan, virus icermesinden ve bilgisayar
sisteminize verebilecegi herhangi bir zarardan
sorumlu tutulamaz.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================