Re: [FW-1] Problems with VPN connection from internal network

[Ray]

Cool. that's a "been there, done that." We had an IP120 on it's own
SmartCenter behind another gateway and it worked fine.

That is, it worked fine right up until I decided to free up the server
running the IP120 SmartCenter and make them both managed by the same one.
There were a few panic-stricken moments when a test of remote access began
reporting an overlapping toploogy. :-)

Ray

From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM>
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Problems with VPN connection from internal network
Date: Mon, 28 Feb 2005 12:45:10 +0100

you are right. I had to change the VPN domain as well as the toplogy on
the FW-1 enforcement module. To get the VPN tunnel running and to
prevent anti-spoofing drops.

Thanks
Nik

Ray wrote:

How is the Edge box defined in the toplogy of the R55 box? Is it there at
all? If so, try changing your VPN domain for the R55 to a group with
exclusion and exclude just the external interface of the Edge box.

If the R55 box knows about the Edge box in its topology, you might be
having
some anti-spoofing drops.

Ray

From: [EMAIL PROTECTED]
Reply-To: Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM>
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: [FW-1] Problems with VPN connection from internal network
Date: Fri, 25 Feb 2005 14:13:48 +0100

Hello

I need to create a VPN-tunnel from the internal network to the FW-1
machine.
This is to tunnel an internal subnet (i.e WLAN) directly into the
internet,
without touching the internal one.

My setup is the following:
- Check Point FW/VPN (NG AI R55): external IP  172.17.1.53, internal IP
192.168.1.1
- Management with SmartCenter: 192.168.1.2
- VPN-1 Edge Box: 192.168.1.51

I need to create a tunnel from the Edge Box to the Check Point
Firewall, so
that all machines connecting behind the Edge Box are directly tunnelled
into
the internet.

I managed to do the scenario where the Edge Box is in the internet.
But now
putting the Edge Box into the internal net, the VPN tunnel cannot be
established. On the Edge Box I connected to a service-center where had to
give the IP address of the Management Machine (normally, the IP
address of
the firewall should be defined). The connection to the Management over
SWTP
worked fine, however I was not able to bring up a VPN tunnel. Here the
error
messages I got:

On the Edge Box:
VPN Tunnel with 192.168.1.2 no respons from peer

On SmartView Tracker:
IKE: Main Mode Sent Notification to Peer: invalid id
VPN-1 Edge: failed to establish VPN Tunnel with gateway

While sniffing, I saw that the Edge Box is trying to set up the tunnel. I
see some IKE messages from the Edge Box to the Firewall, but the Firewall
is
not answering. Strange is also the Edge Box message with says �VPN Tunnel
with 192.168.1.2�� wich is the IP address of the management.

Is there a way that I can tell the Firewall that is should also do IKE on
the internal interface? Is it actually possible to do a VPN from the
internal network? Any suggestions?

Thanks for your comments
Nik

--
DSL Komplett von GMX +++ Superg�nstig und stressfrei einsteigen!
AKTION "Kein Einrichtungspreis" nutzen: http://www.gmx.net/de/go/dsl

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================