Scott,
Thanks for the info. The checkpoint sk ID sk25675.
That being said, I performed "cpstop" on both the Active and Standby
SmartCenter
and edit the $FWDIR/lib/user.def file with vi editor. I performed "cpstart"
on both the
Active and Standby SmartCenter after that. The problem is that after the
policy is
pushed, I checked the user.def file again and it seems like the changes I made
was not there anymore.
I looked at the sk solution again and it specifically stated that this
solution is for
NG AI and not NGx R61. It seems to me that CP is doing something in NGx R61.
Any ideas? Thanks.
cisco4ng
Scott Tobias <stobias14 AT GMAIL DOT COM> wrote:
I have seen some documentation from Check Point that allows excluding
traffic from a certain IP address to not be encrypted. The changes they
discuss in the user.def are
#define NON_VPN_TRAFFIC_RULES \
(icmp, src=212.150.30.22)
You could try setting it so traffic from the source and destination from the
VRRP address is not encrypted. So it should look something like the
following
#define NON_VPN_TRAFFIC_RULES \
(icmp, src=192.168.1.1)
(icmp, dst=192.168.1.1)
I am sure there is a better way to do this but it might accomplish
what you are trying to do.
On 9/24/06, cisco4ng wrote:
>
> Martin,
>
> Well, in the checkpoint firewall, I manually create a group object
> called
> "CP_Encryption_Domain" and place LAN_B (network 192.168.1.0/24) in
> CP_Encryption_Domain group object. 192.168.1.2/24 is the physical
> IP address of the firewall and 192.168.1.1 is the VRRP ip address of
> the CP firewall. Are you telling me that I should "exclude" both the
> 192.168.1.2 and 192.168.1.1 ip addresses from the CP_Encryption_Domain
> group object?
>
> Another thing is that if I "exclude" the 192.168.1.2 and .1 from the
> "CP_Encryption_Domain" group ojbect, then the encryption on the Cisco
> side will NOT match and the VPN tunnel will fail due to encryption
> domain
> mismatch
>
> Any ideas?
>
> cisco4ng
>
> Martin Hoz wrote:
> On 9/24/06, cisco4ng wrote:
> > With VPN "traditional" mode, the Checkpoint FW itself, by
> > default, is NOT part of encryption domain but in
> > simplified mode, it is. Is there a way to exclude the
> > Checkpoint itself from the encryption domain in NGx in
> > VPN "simplified" mode?
>
> This is the defaults, as you said. But you can as well specify the
> encryption domain
> manually on the topology tab and specify whatever you want as encryption
> domain
> there, including just the network objects you need...
>
> Are you doing it this way (manually specified) and doesn't work, or
> are you leaving
> the defaults so the encryption domain is calculated based on the topology?
>
> - Martín.
>
> --
> **** ¿Hoy qué haz hecho para ahorrar agua? - What have you done today
> to save water? - O que você têm feito hoje para conservar a água?
> ** Mi página web: http://gama.fime.uanl.mx/~mhoz/
> * "Somos consecuencia del pasado, y causa de nuestro futuro."
> ** My Linux - http://www.slackware.com == My BSD - http://www.openbsd.org
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
>
>
> ---------------------------------
> Do you Yahoo!?
> Get on board. You're invited to try the new Yahoo! Mail.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
---------------------------------
All-new Yahoo! Mail - Fire up a more powerful email and get things done faster.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
