This sounds like the packets that are headed for the Edge domain are
getting translated before being encapsulated by the VPN. You may want to
add a NAT rule that states if going to the VPN domain of the Edge
device, leave the packet original. I think I had to do this in order to
take care of the same issue.
Chris
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Stala
Sent: Tuesday, June 29, 2004 10:06 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Edge setup - getting close!
I am running version 4.0.85x
hardware version is 1.0
I am getting a 1 way encryption domain, I have the encryption domain set
to a network object in the firewall, In the LSM I have the vpnedge
object with an encryption range set in it.
I can get traffic to encrypt from the edge box to the Nokia but not back
to the edge box, I get an error that there is a translation error. and
it is dropping it.
----- Original Message -----
From: "Ray" <sixsigma44 AT HOTMAIL DOT COM>
To: <FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
Sent: Thursday, June 24, 2004 11:06 PM
Subject: Re: [FW-1] Edge setup - getting close!
Yeah, I saw some of that also until I got it managed by the SmartCenter
server. I'm going to add its encryption domain to our network monitoring
system and ping it every minute to get a better feel for what's going
on.
I was seeing continuous traffic flow from the Edge encryption domain but
the reverse was what was intermittent. Oddly, one of my internal subnets
could ping it all the time but a couple others couldn't do it and I was
seeing a "no valid SA" message in the log from those subnets.
In other words, some subnets were two-way and others were one-way,, from
the Edge to them but not back.
What firmware version are you on?
Ray
>From: Stala <stala AT TAMPABAY.RR DOT COM>
>Reply-To: Mailing list for discussion of Firewall-1
><FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
>To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>Subject: Re: [FW-1] Edge setup - getting close!
>Date: Thu, 24 Jun 2004 20:57:44 -0400
>
>I keep getting a problem with the encryption domain going away, the
>tunnel is still up but no traffic will flow and then for no reason at
>all the traffic starts flowing again, Lots more testing will need to be
done....
>----- Original Message -----
>From: "Ray" <sixsigma44 AT HOTMAIL DOT COM>
>To: <FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
>Sent: Thursday, June 24, 2004 4:50 PM
>Subject: Re: [FW-1] Edge setup - getting close!
>
>
>Nothing personal, Chris, but I hope that's wrong... :-)
>
>Although I was leaning as to that being the answer. <sigh>
>
>Ray
>
>
> >From: Chris Hoff <choff AT CORNERSTONESECURITY DOT COM>
> >Reply-To: Mailing list for discussion of Firewall-1
> ><FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
> >To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> >Subject: Re: [FW-1] Edge setup - getting close!
> >Date: Thu, 24 Jun 2004 10:51:59 -0500
> >
> >In order to route all traffic through the vpn, you have to be using a
> >star community and check the radio button to route all traffic
> >through the hub.
> >
> >Regards,
> >
> >Chris
> >
> >-----Original Message-----
> >From: Mailing list for discussion of Firewall-1
> >[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Ray
> >Sent: Wednesday, June 23, 2004 10:05 PM
> >To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> >Subject: Re: [FW-1] Edge setup - getting close!
> >
> >Turns out it is, although not as fast as I thought it would. It's not
> >logging traffic coming in via the VPN, just stuff trying to go to
> >targets outside of the primary gateway VPN Dmain, which it is showing
> >as "accept"
> >and not "encrypt".
> >
> >So I'm back to my original quandry of how to make it route eveything
> >down the VPN. Is this just not possible in a mesh VPN or could it be
> >done with a static route somehow?
> >
> >I dunno...
> >
> >Ray
> >
> > >From: Ray <sixsigma44 AT HOTMAIL DOT COM>
> > >Reply-To: Mailing list for discussion of Firewall-1
> > ><FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
> > >To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> > >Subject: [FW-1] Edge setup - getting close!
> > >Date: Wed, 23 Jun 2004 19:49:29 -0400
> >
> > >Second problem: How do I get the Edge box to send its logs to the
> > >SmartCenter server? I can't see that it's doing that.
> >
> >_________________________________________________________________
> >Make the most of your family vacation with tips from the MSN Family
> >Travel Guide! http://dollar.msn.com
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages, send an email to
> >LISTSERV AT amadeus.us.checkpoint DOT com
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list, please see the instructions at
> >http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your subscription options,
> >email fw-1-owner AT ts.checkpoint DOT com
> >=================================================
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages, send an email to
> >LISTSERV AT amadeus.us.checkpoint DOT com
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list, please see the instructions at
> >http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your subscription options,
> >email fw-1-owner AT ts.checkpoint DOT com
> >=================================================
>
>_________________________________________________________________
>Is your PC infected? Get a FREE online computer virus scan from
McAfee(r)
>Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>
>=================================================
>To set vacation, Out-Of-Office, or away messages, send an email to
>LISTSERV AT amadeus.us.checkpoint DOT com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your subscription options,
>email fw-1-owner AT ts.checkpoint DOT com
>=================================================
>
>=================================================
>To set vacation, Out-Of-Office, or away messages, send an email to
>LISTSERV AT amadeus.us.checkpoint DOT com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your subscription options,
>email fw-1-owner AT ts.checkpoint DOT com
>=================================================
_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from
McAfee(r) Security.
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
