Re: [FW-1] AW: [FW-1] VPN Help

Subject:	Re: [FW-1] AW: [FW-1] VPN Help
From:	prabath <prabath AT ENTERPRISETL DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Mon, 23 Feb 2004 09:29:37 +0600

Actually, the IP assigned to the external interface (hence the gateway)
is local and it is reached by official address which is natted in the
Cisco box.

Checkpoint manual note that this is a valid configuration if there is
another interface which has an official IP.

(Mechanism is; Client connects to the gateway, download topology and
logically choose official address of that topology to build a IPSec
tunnel)

So we created "virtual" interface in the Nortel box and added to the
cluster topology expecting that topology (10.0.0.1 & global) will be
downloaded to the client and will choose the global IP to build a
tunnel. But we can see the client still trying to connect to the
10.0.0.1 to build an ipsec tunnel not the official IP.

As a last resort we are planning to change IP of gateway cluster (So the
external IP assigned to the Nortel box) but we have concern about
dependencies among rule base and other configuration.

Regards,


Prabath Gamage

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Kunz, T
Sent: Friday, February 20, 2004 4:23 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] AW: [FW-1] VPN Help

But you need a official IP for the Gateway when you want to route the
connection via Internet.
This should be the Gateway-IP in SC too.

maybe you have a netplan for this to understand better what the problem
exactly is...

Regards
Thomas Kunz
Email: mailto:thomas.kunz AT t-systems DOT com

-----Ursprungliche Nachricht-----
Von: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM]Im Auftrag von
Prabath Gamage
Gesendet: Dienstag, 17. Februar 2004 04:24
An: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Betreff: Re: [FW-1] VPN Help


Yes, connnection goes through the internet.

10.0.0.1 is assinged to the vpn gateway. (SC=smart center ? official IP=
global ip representing local IP asigned to the vpn gateway ? am i
correct ?)

When we create a site and logon, it works fine since the ip is global.
But the vpn server (vpn gateway) gives its ip (10.0.0.1) to the clien as
clients remote tunnel end.This can't travel through the internet. Is
there a way to assigne vpn's global represented ip (only cisco 6500 box
aware this ip)to the vpn server and sent it to the client as its remote
tunnel end ?

Thanks and regards

Prabath

-----Original Message-----
From: "Kunz, T" <Thomas.Kunz AT T-SYSTEMS DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Mon, 16 Feb 2004 12:48:42 +0100
Subject: [FW-1] AW: [FW-1] AW: [FW-1] VPN Help

> So the connection goes through the Internet?
>
> Is the Official IP marked as Gateway in SC or the 10.0.0.1?
> Did you review your Routing Config?
>
> Thomas
>
> -----Ursprungliche Nachricht-----
> Von: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM]Im Auftrag von
> Prabath Gamage
> Gesendet: Montag, 16. Februar 2004 11:27
> An: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Betreff: Re: [FW-1] AW: [FW-1] VPN Help
>
>
> Office mode is not enabled and the natting device is 6500 box.
> 10.0.0.1 is the gateway cluster (hence vpn gateway). it is the IP
> assigned to the external interface of nortel box.
>
> regards,
>
> -----Original Message-----
> From: "Kunz, T" <Thomas.Kunz AT T-SYSTEMS DOT COM>
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Date: Mon, 16 Feb 2004 10:44:19 +0100
> Subject: [FW-1] AW: [FW-1] VPN Help
>
> > Do you have 10.0.0.1 oder the natted Object in your SC-Configuration
> as
> > Gateway?
> >
> > Is Office-Mode enabled?
> > Any Firewall Router-NAT between?
> >
> > Regards
> > Thomas Kunz
> >
> > -----Ursprungliche Nachricht-----
> > Von: Mailing list for discussion of Firewall-1
> > [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM]Im Auftrag von
> Samid
> > Tennakoon
> > Gesendet: Montag, 16. Februar 2004 09:25
> > An: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> > Betreff: [FW-1] VPN Help
> >
> >
> > G'day all,
> >
> > We are connecting secure client to a VPN gateway which has ip
> 10.0.0.1
> > nattted to a global IP. Connection fails during IKE negotiation
> stage.
> >
> > "srfw monitor" shows traffic goes to the 10.0.0.1 not to the global
> IP.
> >
> > Any help would be highly appreciated.
> >
> > Regards,
> > Prabath
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-owner AT ts.checkpoint DOT com
> > =================================================
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-owner AT ts.checkpoint DOT com
> > =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] AW: [FW-1] VPN Help, Kunz, T Re: [FW-1] AW: [FW-1] VPN Help, Prabath Gamage [FW-1] AW: [FW-1] VPN Help, Kunz, T Re: [FW-1] AW: [FW-1] VPN Help, prabath <= [FW-1] help: Account management client and user defined tracking, Charles Jing Re: [FW-1] help: Account management client and user defined tracking, Matthias Leu Re: [FW-1] help: Account management client and user defined tracking, Charles Jing

Previous by Date:	[FW-1] VOIP QOS Question, Charles Jing
Next by Date:	Re: [FW-1] Checkpoint ICA - is it X.509 complaint ?, Rajveer Kushwah
Previous by Thread:	[FW-1] AW: [FW-1] VPN Help, Kunz, T
Next by Thread:	[FW-1] help: Account management client and user defined tracking, Charles Jing
Indexes:	[Date] [Thread] [Top] [All Lists]