Thanks Hal. Your thoughts make complete sense and that's how I initially
set up the connectivity but it didn't seem to work.
Packets to the extranet destinations that SecureClient users need to get to
would be accepted and decrypted at the gateway using "Client Encrypt"
rules. However at that point the gateway would then route the packets out,
unencrypted, to the destinations. Please note that the destinations (for
the extranet) are public IP addresses.
As for the topology setup, the destinations for the extranet have been
included in two places:
1) In the VPN domain for our gateway. This is required to allow our gateway
to accept and decrypt the connections from SecureClient users.
2) In the VPN domain for the externally managed gateway.
Physically, SecurRemote/SecureClient connections come into our gateway on
the same interface that the extranet tunnel is terminating on. Not sure if
this has any impact, but I'm just trying to give a clearer picture on the
setup.
Ray had responded to my posting previously explaining that "hub mode" in NG
AI should support this setup I need. I did some digging around and found
the following document on the checkpoint website. It basically describes
exactly what I need to do. Only problem is we're stuck with NG FP2 for the
time being.
http://secureknowledge.checkpoint.com/pub/sk/docs/public/firewall1/ng/pdf/RouteAllVpnTraffic.pdf
Regards,
David A Muscat
Hal Dorsman
<hdorsman AT RMEF DOT OR
G> To
Sent by: Mailing FW-1-MAILINGLIST AT AMADEUS.US DOT
CHECKPO
list for INT.COM
discussion of cc
Firewall-1
<FW-1-MAILINGLIST Subject
@AMADEUS.US.CHECK Re: [FW-1] Remote extranet access
POINT.COM> over SecuRemote/SecureClient
19/08/2004 03:09
AM
Please respond to
Mailing list for
discussion of
Firewall-1
I was a little confused by your question so didn't answer at first,
hoping someone else understood better. Since no one did, here goes
my guess. This is a routing issue handled by the firewall. The
firewall knows about the routing requirements for your extranet
tunnel based on topology. You connect to your gateway as defined
by your SC client setup, then your gateway knows to route (and re-
encrypt packets) packets destined for your extranet based on topology.
So yes, it is possible, and pretty much default setup once you
have your topology defined.
Hal
> -----Original Message-----
> From: David A Muscat [mailto:muscatd AT AU1.IBM DOT COM]
> Sent: Monday, August 16, 2004 7:10 PM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: [FW-1] Remote extranet access over SecuRemote/SecureClient
>
>
> Hi all,
>
> I'm running a CheckPoint NG FP2 gateway with vpn on a solaris
> server. This
> firewall serves as the gateway for SecureClient users and
> it's also a VPN
> termination point for an extranet tunnel.
>
> There's a requirement to allow SecureClient users to access
> this tunnel.
> Ie, a SecureClient user sends packets to destinations which are at the
> remote extranet site. I've managed to configure the userc.C file to
> correctly encrypt the packets and send them to the gateway.
> The gateway
> then decrypts these packets but then I need them re-encrypted
> to send back
> out across the extranet tunnel to their final destination.
>
> Is this kind of setup/connectivity actually possible without having to
> route the packets anywhere else beyond the firewall? Any ideas or
> suggestions would be greatly appreciated.
>
> Thanks!
>
> David A Muscat
>
> IBM Global Services
> Email: muscatd AT au1.ibm DOT com
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
