I have seen some documentation from Check Point that allows excluding
traffic from a certain IP address to not be encrypted. The changes they
discuss in the user.def are
#define NON_VPN_TRAFFIC_RULES \
(icmp, src=212.150.30.22)
You could try setting it so traffic from the source and destination from the
VRRP address is not encrypted. So it should look something like the
following
#define NON_VPN_TRAFFIC_RULES \
(icmp, src=192.168.1.1)
(icmp, dst=192.168.1.1)
I am sure there is a better way to do this but it might accomplish
what you are trying to do.
On 9/24/06, cisco4ng <cisco4ng AT yahoo DOT com> wrote:
Martin,
Well, in the checkpoint firewall, I manually create a group object
called
"CP_Encryption_Domain" and place LAN_B (network 192.168.1.0/24) in
CP_Encryption_Domain group object. 192.168.1.2/24 is the physical
IP address of the firewall and 192.168.1.1 is the VRRP ip address of
the CP firewall. Are you telling me that I should "exclude" both the
192.168.1.2 and 192.168.1.1 ip addresses from the CP_Encryption_Domain
group object?
Another thing is that if I "exclude" the 192.168.1.2 and .1 from the
"CP_Encryption_Domain" group ojbect, then the encryption on the Cisco
side will NOT match and the VPN tunnel will fail due to encryption
domain
mismatch
Any ideas?
cisco4ng
Martin Hoz <martinhoz AT GMAIL DOT COM> wrote:
On 9/24/06, cisco4ng wrote:
> With VPN "traditional" mode, the Checkpoint FW itself, by
> default, is NOT part of encryption domain but in
> simplified mode, it is. Is there a way to exclude the
> Checkpoint itself from the encryption domain in NGx in
> VPN "simplified" mode?
This is the defaults, as you said. But you can as well specify the
encryption domain
manually on the topology tab and specify whatever you want as encryption
domain
there, including just the network objects you need...
Are you doing it this way (manually specified) and doesn't work, or
are you leaving
the defaults so the encryption domain is calculated based on the topology?
- Martín.
--
**** ¿Hoy qué haz hecho para ahorrar agua? - What have you done today
to save water? - O que você têm feito hoje para conservar a água?
** Mi página web: http://gama.fime.uanl.mx/~mhoz/
* "Somos consecuencia del pasado, y causa de nuestro futuro."
** My Linux - http://www.slackware.com == My BSD - http://www.openbsd.org
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
---------------------------------
Do you Yahoo!?
Get on board. You're invited to try the new Yahoo! Mail.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
