Martin,
Well, in the checkpoint firewall, I manually create a group object called
"CP_Encryption_Domain" and place LAN_B (network 192.168.1.0/24) in
CP_Encryption_Domain group object. 192.168.1.2/24 is the physical
IP address of the firewall and 192.168.1.1 is the VRRP ip address of
the CP firewall. Are you telling me that I should "exclude" both the
192.168.1.2 and 192.168.1.1 ip addresses from the CP_Encryption_Domain
group object?
Another thing is that if I "exclude" the 192.168.1.2 and .1 from the
"CP_Encryption_Domain" group ojbect, then the encryption on the Cisco
side will NOT match and the VPN tunnel will fail due to encryption domain
mismatch
Any ideas?
cisco4ng
Martin Hoz <martinhoz AT GMAIL DOT COM> wrote:
On 9/24/06, cisco4ng wrote:
> With VPN "traditional" mode, the Checkpoint FW itself, by
> default, is NOT part of encryption domain but in
> simplified mode, it is. Is there a way to exclude the
> Checkpoint itself from the encryption domain in NGx in
> VPN "simplified" mode?
This is the defaults, as you said. But you can as well specify the
encryption domain
manually on the topology tab and specify whatever you want as encryption domain
there, including just the network objects you need...
Are you doing it this way (manually specified) and doesn't work, or
are you leaving
the defaults so the encryption domain is calculated based on the topology?
- Martín.
--
**** ¿Hoy qué haz hecho para ahorrar agua? - What have you done today
to save water? - O que você têm feito hoje para conservar a água?
** Mi página web: http://gama.fime.uanl.mx/~mhoz/
* "Somos consecuencia del pasado, y causa de nuestro futuro."
** My Linux - http://www.slackware.com == My BSD - http://www.openbsd.org
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
---------------------------------
Do you Yahoo!?
Get on board. You're invited to try the new Yahoo! Mail.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
