Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] VPN SecureClient : IP flows to a new internal network not enc

from Joel Guillerm [Permanent Link]
Subject: Re: [FW-1] VPN SecureClient : IP flows to a new internal network not encrypted in the VPN tunnel
From: Joel Guillerm <joel.guillerm AT FR.IBM DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Mon, 21 May 2007 00:51:39 +0200 
Thanks Gary,
it works after site update ;
don't why this is nt done automatically, btw
--------------------------------------------------------------------------------------
Joel 



Gary Scott <gscott AT VIGILAR DOT COM> 
Sent by: Mailing list for discussion of Firewall-1 
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
18/05/2007 23:44
Please respond to
Mailing list for discussion of Firewall-1 
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>


To
FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
cc

Subject
Re: [FW-1] VPN SecureClient : IP flows to a new internal network not 
encrypted in the VPN tunnel






After changing your encryption domain did you do a site update on the
client?

-GS

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Joel
Guillerm
Sent: Friday, May 18, 2007 4:56 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] VPN SecureClient : IP flows to a new internal network
not encrypted in the VPN tunnel

Checkpoint NG R55, Nokia IPSO 4.1,  SecureClient R56 ;

VPN tunnel is established correctly from the SecureClient PC ; IP
address 
is correctly affected to the PC ;
everything has been working OK for a while ;

now, we wants to give access to a new internal LAN network ;
so, we defined it everywhere where it is needed (new object, added to
the 
Group of other existing internal LAN networks and to the AntiSpoofing 
Group, update of the Nokia routing table) ; 
the firewall can reach this new network locally, and from this new 
network, we can reach DMZ or Internet resources the same way we can from

the other existing internal LAN networks ;

When we try to access this new LAN network thru  a VPN connection, it
does 
not works at all (no ping , nothing) ;
on the PC connected via VPN, we can see the 2 following points :
a) the routing table does not  show this new network as accessible thru 
the VPN tunnel address , so, this means, flows to this new network are 
sent as clear flow towards Internet, and not to the Firewall
b) the Log viewer confirms this point, since the test Pings to this new 
LAN network show them as being sent not encrypted with source IP
address, 
the ISP IP address, not the VPN one ;

If we add manually a route on the PC to tell it the new network is 
reachable via the VPN tunnel IP address, the Log viewer shows the source

address is now correct, but the flow is still not encrypted, so, it
still 
does not work

Is there a specific definition somewhere to indicate which flows should
be 
routed and encrypted in the VPN tunnel ?

as mentionned, this new LAN network has been defined as an exiting LAN 
network and added in the Group of those existing LANs, and
this Group was already defined as the destination of VPN rules

thanks in advance for any help

------------------------------------------------------------------------
--------------
Joel 

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [FW-1] Nokia IPSO 4.1 + Checkpoint NGX R62 : high memory consumption, Joel Guillerm
Next by Date:  Re: [FW-1] VPN SecureClient : IP flows to a new internal network not encrypted in the VPN tunnel, David DeSimone
Previous by Thread:  Re: [FW-1] VPN SecureClient : IP flows to a new internal network not encrypted in the VPN tunnel, Gary Scott
Next by Thread:  Re: [FW-1] VPN SecureClient : IP flows to a new internal network not encrypted in the VPN tunnel, David DeSimone
Indexes:  [Date] [Thread] [Top] [All Lists]