no access from Secureclient to branch office

Hi list,
i´m using NGX R65 on Nokia IP380 Ipso 4.2 with Win2k3 mgmt
and a cold standby machine.

We have several branch offices which are connected over VPN
edges with "route all traffic through gateway" to
the central gateway.
I´m using traditional mode with no communitys.

The problem is now, that my SecureClient users connect to
the central gateway and want to get e-mails from the branch
offices Exchange server.
This is not possible. I even can´t ping the branch office
from SecureClient.
The SecureClient users have all the same policy: Allow all
from and to all internal networks (Enc-Dom) including branch
offices. Block all other.
We have many leased-line-connected plants, which i can
access without any problem from SecureClient. From internal
network the branch offices are reachbale, too.

Do you have any idea, why i cannot access branch office
networks from SecureClient? And if yes, do you have a
solution, too?

(heers

Mark


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Hi,

The Officemode network is not part of the encryption
domain.

Use seperate encryption domains for Secureclient and
Site2Site VPN.

Secureclient should be the same that you have for Site2Site
VPN today and
Site2Site VPN should include Officemode network.

Then it will work.

An other option is to use vpn_route.conf file but it is
alittle more
complex.

Br

2008/3/13, Mark Williams <marwilworkgooglemail.com>:
>
> Hi list,
> i´m using NGX R65 on Nokia IP380 Ipso 4.2 with Win2k3
mgmt and a cold
> standby machine.
>
> We have several branch offices which are connected over
VPN edges with
> "route all traffic through gateway" to the
central gateway.
> I´m using traditional mode with no communitys.
>
> The problem is now, that my SecureClient users connect
to the central
> gateway and want to get e-mails from the branch offices
Exchange server.
> This is not possible. I even can´t ping the branch
office from
> SecureClient.
> The SecureClient users have all the same policy: Allow
all from and to all
> internal networks (Enc-Dom) including branch offices.
Block all other.
> We have many leased-line-connected plants, which i can
access without any
> problem from SecureClient. From internal network the
branch offices are
> reachbale, too.
>
> Do you have any idea, why i cannot access branch office
networks from
> SecureClient? And if yes, do you have a solution, too?
>
> (heers
>
> Mark
>
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>



Scanned by Check Point Total Security Gateway.


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

my VPN-Edge rules looks like follows:

source                    destination            Service    
   Action
net_newyork            enc_dom            any               
encrypt
enc_dom                  net_newyork      any               
encrypt

VPN remote login rule:

group_vpn_users                enc_dom            any       
        client 
encrypt

Office Mode rules:

net_officemode        enc_dom            any               
accept
enc_dom                 net_officemode    any               
accept

Desktop Policy

Source                            Desktop                   
        Service 
Action
enc_dom_puls_edges        group_vpn_usersany    
any                encrypt
firewall                            group_vpn_usersany    
any 
encrypt
any                                  group_vpn_usersany   
any 
block
enc_dom_plus_edges        all usersany                    any

accept

and vice versa

VPN Domain in the configuration of firewall object ist
enc_dom

In group enc_dom are all internal networks, but not the edge
networks
Group enc_dom_plus_edges includes edge networks, but not the
interoperable 
devices (edge objects)

I found out, that secureclients routing is wrong.
"route print" is not 
showing the edge networks, so they are not routed into the
vpn tunnel.
I changed the VPN Domain in the firewall object from
"enc_dom" to 
"enc_dom_plus_edges", but then all edge networks
are not reachable from 
internal network anymore(!!!). But in this case i have the
routing entrys at 
the windows client for edge networks.

This problem is freaking me out.
I would be very appreciated for any hint.




----- Original Message ----- 
From: "stromsec" <stromsecGMAIL.COM>
To: <FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM>
Sent: Friday, March 14, 2008 12:20 PM
Subject: Re: [FW-1] no access from Secureclient to branch
office


Hi,

The Officemode network is not part of the encryption
domain.

Use seperate encryption domains for Secureclient and
Site2Site VPN.

Secureclient should be the same that you have for Site2Site
VPN today and
Site2Site VPN should include Officemode network.

Then it will work.

An other option is to use vpn_route.conf file but it is
alittle more
complex.

Br

2008/3/13, Mark Williams <marwilworkgooglemail.com>:
>
> Hi list,
> i´m using NGX R65 on Nokia IP380 Ipso 4.2 with Win2k3
mgmt and a cold
> standby machine.
>
> We have several branch offices which are connected over
VPN edges with
> "route all traffic through gateway" to the
central gateway.
> I´m using traditional mode with no communitys.
>
> The problem is now, that my SecureClient users connect
to the central
> gateway and want to get e-mails from the branch offices
Exchange server.
> This is not possible. I even can´t ping the branch
office from
> SecureClient.
> The SecureClient users have all the same policy: Allow
all from and to all
> internal networks (Enc-Dom) including branch offices.
Block all other.
> We have many leased-line-connected plants, which i can
access without any
> problem from SecureClient. From internal network the
branch offices are
> reachbale, too.
>
> Do you have any idea, why i cannot access branch office
networks from
> SecureClient? And if yes, do you have a solution, too?
>
> (heers
>
> Mark
>
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>



Scanned by Check Point Total Security Gateway.


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
================================================= 


Scanned by Check Point Total Security Gateway.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Hi,

Sorry i missed that your SecureClients did not use
RouteAll.

The Secureclient enc-dom should be:
Your internal enc_dom and all the satelites enc_dom

Your Site2Site enc_dom should be:
Your intenal enc_dom and your officemode net.

Br.

2008/3/17, Mark Williams <marwilworkgooglemail.com>:
>
> my VPN-Edge rules looks like follows:
>
> source                    destination           
Service        Action
> net_newyork            enc_dom            any          
     encrypt
> enc_dom                  net_newyork      any          
     encrypt
>
> VPN remote login rule:
>
>
> group_vpn_users                enc_dom            any  
             client
> encrypt
>
> Office Mode rules:
>
> net_officemode        enc_dom            any           
    accept
> enc_dom                 net_officemode    any          
     accept
>
> Desktop Policy
>
>
> Source                            Desktop              
             Service
> Action
> enc_dom_puls_edges        group_vpn_usersany
> any                encrypt
> firewall                            group_vpn_usersany    
any
> encrypt
> any                                 
group_vpn_usersany    any
> block
> enc_dom_plus_edges        all usersany      
             any
> accept
>
> and vice versa
>
> VPN Domain in the configuration of firewall object ist
enc_dom
>
> In group enc_dom are all internal networks, but not the
edge networks
> Group enc_dom_plus_edges includes edge networks, but
not the interoperable
> devices (edge objects)
>
> I found out, that secureclients routing is wrong.
"route print" is not
> showing the edge networks, so they are not routed into
the vpn tunnel.
> I changed the VPN Domain in the firewall object from
"enc_dom" to
> "enc_dom_plus_edges", but then all edge
networks are not reachable from
> internal network anymore(!!!). But in this case i have
the routing entrys
> at
> the windows client for edge networks.
>
> This problem is freaking me out.
> I would be very appreciated for any hint.
>
>
>
>
>
> ----- Original Message -----
> From: "stromsec" <stromsecGMAIL.COM>
> To: <FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM>
> Sent: Friday, March 14, 2008 12:20 PM
> Subject: Re: [FW-1] no access from Secureclient to
branch office
>
>
> Hi,
>
> The Officemode network is not part of the encryption
domain.
>
> Use seperate encryption domains for Secureclient and
Site2Site VPN.
>
> Secureclient should be the same that you have for
Site2Site VPN today and
> Site2Site VPN should include Officemode network.
>
> Then it will work.
>
> An other option is to use vpn_route.conf file but it is
alittle more
> complex.
>
> Br
>
> 2008/3/13, Mark Williams <marwilworkgooglemail.com>:
> >
> > Hi list,
> > i´m using NGX R65 on Nokia IP380 Ipso 4.2 with
Win2k3 mgmt and a cold
> > standby machine.
> >
> > We have several branch offices which are connected
over VPN edges with
> > "route all traffic through gateway" to
the central gateway.
> > I´m using traditional mode with no communitys.
> >
> > The problem is now, that my SecureClient users
connect to the central
> > gateway and want to get e-mails from the branch
offices Exchange server.
> > This is not possible. I even can´t ping the branch
office from
> > SecureClient.
> > The SecureClient users have all the same policy:
Allow all from and to
> all
> > internal networks (Enc-Dom) including branch
offices. Block all other.
> > We have many leased-line-connected plants, which i
can access without
> any
> > problem from SecureClient. From internal network
the branch offices are
> > reachbale, too.
> >
> > Do you have any idea, why i cannot access branch
office networks from
> > SecureClient? And if yes, do you have a solution,
too?
> >
> > (heers
> >
> > Mark
> >
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERVamadeus.us.checkpoint.com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http:
//www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-ownerts.checkpoint.com
> > =================================================
> >
>
>
>
>
> Scanned by Check Point Total Security Gateway.
>
>
> =================================================
>
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
>
>
> Scanned by Check Point Total Security Gateway.
>
> =================================================
>
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>



Scanned by Check Point Total Security Gateway.


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Hi,
now i´ve changed one client to RouteAll and the policy is
like you said.
Now the packet reaches the gateways external interface, but
is not listed in 
Smartview Tracker and doesn´t leave the gateway in direction
to the VPN 
Edge.
I´ve checked it with tcpdump on the gateway.

Does anybody has egde networks which are reachable from
office mode clients 
configured in traditional mode?

For any hint i will be very appreciated.

----- Original Message ----- 
From: "stromsec" <stromsecGMAIL.COM>
To: <FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM>
Sent: Wednesday, March 19, 2008 8:40 AM
Subject: Re: [FW-1] no access from Secureclient to branch
office


Hi,

Sorry i missed that your SecureClients did not use
RouteAll.

The Secureclient enc-dom should be:
Your internal enc_dom and all the satelites enc_dom

Your Site2Site enc_dom should be:
Your intenal enc_dom and your officemode net.

Br.

2008/3/17, Mark Williams <marwilworkgooglemail.com>:
>
> my VPN-Edge rules looks like follows:
>
> source                    destination           
Service        Action
> net_newyork            enc_dom            any          
     encrypt
> enc_dom                  net_newyork      any          
     encrypt
>
> VPN remote login rule:
>
>
> group_vpn_users                enc_dom            any 
> client
> encrypt
>
> Office Mode rules:
>
> net_officemode        enc_dom            any           
    accept
> enc_dom                 net_officemode    any          
     accept
>
> Desktop Policy
>
>
> Source                            Desktop 
> Service
> Action
> enc_dom_puls_edges        group_vpn_usersany
> any                encrypt
> firewall                            group_vpn_usersany    
any
> encrypt
> any                                 
group_vpn_usersany    any
> block
> enc_dom_plus_edges        all usersany      
             any
> accept
>
> and vice versa
>
> VPN Domain in the configuration of firewall object ist
enc_dom
>
> In group enc_dom are all internal networks, but not the
edge networks
> Group enc_dom_plus_edges includes edge networks, but
not the interoperable
> devices (edge objects)
>
> I found out, that secureclients routing is wrong.
"route print" is not
> showing the edge networks, so they are not routed into
the vpn tunnel.
> I changed the VPN Domain in the firewall object from
"enc_dom" to
> "enc_dom_plus_edges", but then all edge
networks are not reachable from
> internal network anymore(!!!). But in this case i have
the routing entrys
> at
> the windows client for edge networks.
>
> This problem is freaking me out.
> I would be very appreciated for any hint.
>
>
>
>
>
> ----- Original Message -----
> From: "stromsec" <stromsecGMAIL.COM>
> To: <FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM>
> Sent: Friday, March 14, 2008 12:20 PM
> Subject: Re: [FW-1] no access from Secureclient to
branch office
>
>
> Hi,
>
> The Officemode network is not part of the encryption
domain.
>
> Use seperate encryption domains for Secureclient and
Site2Site VPN.
>
> Secureclient should be the same that you have for
Site2Site VPN today and
> Site2Site VPN should include Officemode network.
>
> Then it will work.
>
> An other option is to use vpn_route.conf file but it is
alittle more
> complex.
>
> Br
>
> 2008/3/13, Mark Williams <marwilworkgooglemail.com>:
> >
> > Hi list,
> > i´m using NGX R65 on Nokia IP380 Ipso 4.2 with
Win2k3 mgmt and a cold
> > standby machine.
> >
> > We have several branch offices which are connected
over VPN edges with
> > "route all traffic through gateway" to
the central gateway.
> > I´m using traditional mode with no communitys.
> >
> > The problem is now, that my SecureClient users
connect to the central
> > gateway and want to get e-mails from the branch
offices Exchange server.
> > This is not possible. I even can´t ping the branch
office from
> > SecureClient.
> > The SecureClient users have all the same policy:
Allow all from and to
> all
> > internal networks (Enc-Dom) including branch
offices. Block all other.
> > We have many leased-line-connected plants, which i
can access without
> any
> > problem from SecureClient. From internal network
the branch offices are
> > reachbale, too.
> >
> > Do you have any idea, why i cannot access branch
office networks from
> > SecureClient? And if yes, do you have a solution,
too?
> >
> > (heers
> >
> > Mark
> >
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERVamadeus.us.checkpoint.com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http:
//www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-ownerts.checkpoint.com
> > =================================================
> >
>
>
>
>
> Scanned by Check Point Total Security Gateway.
>
>
> =================================================
>
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
>
>
> Scanned by Check Point Total Security Gateway.
>
> =================================================
>
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>



Scanned by Check Point Total Security Gateway.


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
================================================= 


Scanned by Check Point Total Security Gateway.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================