RE: VPN FW-1

Thu, 28 Jun 2001 23:23:27 -0700 



-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, June 29, 2001 10:11 AM
To: Madhur Nanda
Cc: [EMAIL PROTECTED]
Subject: Re: VPN FW-1


On the second firewall, the encryption should take place on the address
used by the NAT translation (the outside address). Are you encrypting
based on the outside address, or on the internal, private addresses?

In other words, if you have a setup like this:

LAN-using-192.168.1.0---<FW1
w/NAT>---VPN-using-204.233.3.0---<FW2>---etc

On FW2's ruleset, are you encrypting based on the 192.168.1.0 address or
the 204.233.3.0 address? You should be encrypting on the 204.233.3.0.
---------------------
----> THATS CORRECT, I m using virtual network id say 10.1.1.0 ( as NAT)
for 192.168.1.0 ( if i take the case as above) on second firewall. On
the first firewall no NAT so its FW encryption domain becomes
192.168.1.0 and on the second firewall i m using NAT for 192.168.1.0 to
say 10.1.1.0 and i m calling 10.1.1.0 as encryption domain for second
firewall in additon to another network which acts as virtual n/w ( NAT
for)for encryption domain of third FW say 172.16.1.10. i.e second FW has
two networks in its encryption domain(10.1.1.0 and 10.2.2.0) one
corresponding to first FW encryption domain (192.168.1.0) and other one
corresponding to third FW encryption domain i.e (172.16.1.0).

Now the system in 192.168.1.0 initiates connection to 10.2.2.0 which is
virtual n/w id for 3rd FW encryption domain. It goes in encrypted form
to FW 2 and gets decrypted there and then source is translated to
10.1.1.0 ( virtual nw for 1st FW encryption domain) and destination to
actual destination ( encryption domain of 3rd FW, 172.16.1.0), now the
source is part of 2nd FW encryption domain  and destination is part of
3rd FW encryption domain, so the traffic should go from 2nd to 3rd in
encrypted form.......but ITS NOT HAPPENING 
----------------------------
If that's not the problem, I'm not sure what else to say except go wild
on
the logging and see what's happening. It's possible that you have a
crypt
algorithm mismatch or something of that sort. If you don't see any
encrypt/decrypt messages in the logs, then it's most likey a rule set to
encrypt on a wrong source address.

On Fri, 29 Jun 2001, Madhur Nanda wrote:

> Hi ,
>
> i am testing a setup where i have three firewalls in a chain,
>
> the first and second firewall form a g/w to g/w VPN and then secon and
> third form another VPN. The second firewall has two interface and as
> such it forms VPN with its peer on different interface. I wish to
allow
> traffic originating from encryption domain of firewall one to systems
in
> encryption domain of firewall three. The second firewall comes in the
> middle and mediates the traffic. I m using NAT rules on the second
> firewall so as to distiguish between encryption domains on second
> firewall.
> The traffic reaches the second firewall as desired ( encrypt -> NAt->
> ??) But when it leaves the second firewall it is not getting encrypted
> and going plainly.....
>
> can some one throw some light on it????
>
> 1) NAT takes place at only one interface??
> 2) FW-1 can form encryption VPN on two interface???
>
> TIA
>
> regds
> Madhur
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
>

_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls

Reply via email to