Hey Andrew,
Thank you for the link, I really appreciate it.
Unfortunately though, it doesn't contain any info regarding
what to do when the
Interface that is trying to create the Encrypted IPSec
Tunnel is the wrong one :-(
Kind regards,
Dimitris
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AMADEUS.US.CHECKPOINT.COM]
On Behalf Of Andrew W Barkley
Sent: Wednesday, March 19, 2008 22:50
To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Multiple External Interfaces and IPSec
VPN Tunnels - How to *force* a specific NIC for a VPN
Tunnel
Hi Dimitris,
The following excellent site may shed some light, there's
several
examples, hopefully one of which may help
http://w
ww.fw-1.de/aerasec/ngx/vpn-cp-x.html
Just another thought, ensure that on the Astaro firewall
you've configured
your CP object's internal/external interfaces and CP
object's encryption
domain (excluding CP ip's), also, should you be using PFS,
disable PFS
temporarily to test
Regards
Andrew
CSC Computer Sciences Limited
Registered Office: Royal Pavilion, Wellesley Road,
Aldershot, Hampshire,
GU11 1PZ, UK
Registered in England No: 0963578
------------------------------------------------------------
------------------------------------------------------------
------------
------------------------------------------------------------
----------------
This is a PRIVATE message. If you are not the intended
recipient, please
delete without copying and kindly advise us by e-mail of the
mistake in
delivery.
NOTE: Regardless of content, this e-mail shall not operate
to bind CSC to
any order or other contract unless pursuant to explicit
written agreement
or government initiative expressly permitting the use of
e-mail for such
purpose.
------------------------------------------------------------
------------------------------------------------------------
------------
------------------------------------------------------------
----------------
Chontzopoulos Dimitris <dchontzoABC.GR>
Sent by: Mailing list for discussion of Firewall-1
<FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM>
19/03/2008 20:10
Please respond to
Mailing list for discussion of Firewall-1
<FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM>
To
FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
cc
Subject
Re: [FW-1] Multiple External Interfaces and IPSec VPN
Tunnels - How to
*force* a specific NIC for a VPN Tunnel
Hey Andrew,
That's easy... They're not.
Kind regards,
Dimitris
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]
On Behalf Of Andrew W
Barkley
Sent: Wednesday, March 19, 2008 21:36
To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Multiple External Interfaces and IPSec
VPN Tunnels -
How to *force* a specific NIC for a VPN Tunnel
Hi Dimitris,
Just a thought, verify that NIC-A & B (1.2.3.4/5.6.7.8)
are NOT included
in CP's own encryption domain
Regards
Andrew
CSC Computer Sciences Limited
Registered Office: Royal Pavilion, Wellesley Road,
Aldershot, Hampshire,
GU11 1PZ, UK
Registered in England No: 0963578
------------------------------------------------------------
------------------------------------------------------------
------------
------------------------------------------------------------
----------------
This is a PRIVATE message. If you are not the intended
recipient, please
delete without copying and kindly advise us by e-mail of the
mistake in
delivery.
NOTE: Regardless of content, this e-mail shall not operate
to bind CSC to
any order or other contract unless pursuant to explicit
written agreement
or government initiative expressly permitting the use of
e-mail for such
purpose.
------------------------------------------------------------
------------------------------------------------------------
------------
------------------------------------------------------------
----------------
Chontzopoulos Dimitris <dchontzoABC.GR>
Sent by: Mailing list for discussion of Firewall-1
<FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM>
19/03/2008 14:10
Please respond to
Mailing list for discussion of Firewall-1
<FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM>
To
FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
cc
Subject
Re: [FW-1] Multiple External Interfaces and IPSec VPN
Tunnels - How to
*force* a specific NIC for a VPN Tunnel
Hello Matthew,
Well, I tried what you suggested and it just won't work!!!
I'm having
multiple headaches right now...!!!...!!!
I've tried routing the Remote Encryption Domain to:
- NIC-B directly
- The Router of NIC-B
- Both the 2 above at the same time
The settings I'm currently using are the following:
Traditional Mode Configuration
Global Properties, VPN, Advanced, "Enable VPN-1 gateway
to calculate
statically..."
IPSec_orig_if_nat (true)
IPSec_main_if_nat (false)
Routing the VPN Domain to the Router of NIC-B
Default Gateway on NIC-A
Please help!!!
Kind regards,
Dimitris
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]
On Behalf Of
Chontzopoulos
Dimitris
Sent: Wed, 20 Feb 2008 13:36:21 +0200
To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
Subject: RE: [FW-1] Multiple External Interfaces and IPSec
VPN Tunnels -
How to *force* a specific NIC for a VPN Tunnel
A quick workaround for this should be to add a route for the
remote
encryption domain to the firewall to go via the gateway on
NIC B. The
routing engine on the Check Point will try and route the
packet before
it actually performs the encapsulation. The results in Check
Point
incorrectly stamping the source of the encapsulated packet
as the NIC
with the default gateway set.
Just add a normal static route to the remote encryption
domain (not just
the remote peer) to go via your router on NIC B.
If that doesn't work, we will have to investigate other
options.
Cheers
Matthew
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]
On Behalf Of
Chontzopoulos
Dimitris
Sent: Wednesday, February 20, 2008 13:13
To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
Subject: [FW-1] Multiple External Interfaces and IPSec VPN
Tunnels - How
to *force* a specific NIC for a VPN Tunnel
Hello there guys,
I've searched as much as I could, but, wasn't able to find a
*solid*
response to the question:
On Check Point NG R55W AI, can someone *force* a VPN Tunnel
to be
established on a specific External Network Interface Card?
As you
imagine, we have a Check Point NG R55W AI with 2 NICs on 2
different
Switches, connected onto 2 different Routers, connected onto
2
different ISPs.
CP -------- ISP-A (CP NIC-A: 1.2.3.4)
|
|
|
ISP-B (CP NIC-B: 5.6.7.8)
NIC 1.2.3.4 is the one used in the
Firewall-Object-Properties and where
the License resides. We want to establish the VPN
(Interoperable Device, NOT Check Point Firewall) on NIC
5.6.7.8.
What's happening is that we do send IKE Packets from NIC-B
to the other
side and when IKE Phase 1 is about to complete, the
Firewall
on the other side complaints that the IP Addresses do not
match for the
IPSec Tunnel. In other words, even though the initiated by
NIC-B IKE connection is correct, when IKE Phase 1 is about
to complete,
the IP Address within the Payload WE send, is not for
NIC-B,
but, for NIC-A... The actual message we get back from the
other side is
this:
IKE: Phase 1 Received Notification from Peer: payload
malformed
I have tried the following:
- Policy, Global Properties, VPN, Advanced, "Resolving
Mechanism", Enable
dynamic interface resolving per gateway (must be defined
per gateway)
- (then on the Gateway object) VPN, VPN Advanced, Dynamic
Interface
resolving configuration..., Enable dynamic resolution by
peer
VPN-1 gateways, Upon tunnel initialization
- Using GUIDBEdit, changed the following:
* IPSec_orig_if_nat from *true* to *false*
* IPSec_main_if_nat left as *false*
Some facts:
- Our Firewall is an NG R55W AI, HFA04, Hotfix011, Build
004
- The VPN Module is an NG R55W AI, HFA04, Hotfix011, Build
003
- The other Firewall is an Astaro something...
- We're running Traditional Mode
Any ideas, comments, remarks? Any help is greatly
appreciated!!!
Cheers,
Dimitris
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
Scanned by Check Point Total Security Gateway.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
Scanned by Check Point Total Security Gateway.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
Scanned by Check Point Total Security Gateway.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
Scanned by Check Point Total Security Gateway.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
Scanned by Check Point Total Security Gateway.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
