Hi There are some steps to do to reach the networks connected site-by-site to the main site you've connected to with secureclient. Please be aware that I've not tested this config for Edge or S-Boxes but vor FW1 Sites with VPN1-Net or any other license. But I'm quite sure that this should also work for this small office boxes.
It is needed that you use office mode and have the office mode range in the Enc_A encryption domain of firewall A. [RemoteAccessClient] -------> [ Firewall A (Enc_A)] ----(vpn over Internet)---[Firewall B (Enc_B)] # Firewall A and Firewall B are in the same community Step - by - Step ----------------- 1. Include Enc_B into Enc_A ( defined on the object on the gui ) 1.1 On the firewall object of Firewall A go to the tab "Remote Access" and enable HUB Mode Configuration ( Allow Secure Client to route traffic through this gateway) 1.2 Use Dbedit and change the key "GW_route_traffic_for_OM_address" to true (in global properties) 1.3 Use Dbedit and check ( if you use VPN1-Net ) that under "Network Objects" -> "network_objects" in the config of the firewall the "exportable" is set to "false" 2. make an entry in $FWDIR/conf/vpn_route.conf (please be aware that the force_override is needed) #destination router install_on [force_override] Enc_B Firewall B Firewall A force_override So that's all. Philip Markwalder -- Celeris AG http://www.celeris.ch/ Studbachstrasse 13b Phone: +41 1 938 5720 CH-8340 Hinwil Fax: +41 1 938 5721 -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Ray Sent: Freitag, 3. September 2004 20:58 To: [EMAIL PROTECTED] Subject: [FW-1] VPN routing question I just set up a test VPN from an R55 gateway to an Edge XU box and I now have my computer on it's internal network. When I have SecureClient running on my computer, I can't get to the "real" internal network. I have to disable the policy, even though this new internal network is allowed in the desktop security policy, and also stop SecureClient. Then everything works OK. I vaguely recall reading about this before and it seemed that it had something to do with the topology being fed to SecureClient. All remote access will be to the R55 gateway and then down the site-to-site VPN to the Edge internal networks. We are using hub mode for SecureClient. Any pointers would be appreciated! Thanks, Ray _______________________________________________________ __________ Express yourself instantly with MSN Messenger! Download today - it's FREE! hthttp://messenger.msn.click-url.com/go/onm00200471ave/ direct/01/ ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================