The Firewall/VPN-1 Box is connected to two Networks: the internet and an internal Network. Now the internal network has some subnets which need access to the internet too. In this subnets there may be untrusted people, so that the traffic to the internet must be encrypteted in a VPN tunnel.
In my scenario I have now VPN's connecting from the internet to the local network and others connecting from the internal network to the internet. I think its works now pretty well now.
The only problem I'm still facing is when I create a VPN from the internal network to the Firewall/VPN Box, that the Firewall/VPN Box tries to send ICMP redirects to the target in the internet. This redirects are then blocked by the Firewall, so that I can see them in the SmartTracker. This redirects are only generated for Packets leaving the VPN tunnel (comming from the internal network) and leaving to the internet.
strage not?
thanks Nik
Ray wrote:
Mine's a little different. My internal device accepts SecuRemote traffic from the Internet which is passed through the R55 gateway and terminates on the IP120. Th SecuRemote client is accessing a server behind the IP120 using pcAnywhere.
What exactly are you trying to accomplish? The people behind the internal firewall are allowed to access what?
Ray
From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> Reply-To: Mailing list for discussion of Firewall-1 <[email protected]> To: [email protected] Subject: Re: [FW-1] Problems with VPN connection from internal network Date: Wed, 2 Mar 2005 08:19:42 +0100
I looks like the VPN tunnel does not what I want. The VPN worked fine if for example I pinged the internal net. But if I tried to reach the internet, the packets were sent in clear. And I realize now, that it may give problems with VPN's comming from the internet.
I think I have to check again the topology. How did you manage this? The FW-1/VPN module should take VPN connections from the internal subnets and route the traffic into the internet while other traffic from VPNs from the interner should be routed into the internal net.
For internet VPN's I define the topology as the internal net. For internel VPN's it should be the internet, right?! Did you chose the topology based on the interface definition? What type (three types) did you use for the Start Community. Satellite to Central, Sattelite to central and to other sattelites, Satellite to central, to other satellites and to internet?
Thanks Nik
Ray wrote:
Cool. that's a "been there, done that." We had an IP120 on it's own SmartCenter behind another gateway and it worked fine.
That is, it worked fine right up until I decided to free up the server running the IP120 SmartCenter and make them both managed by the same one. There were a few panic-stricken moments when a test of remote access began reporting an overlapping toploogy. :-)
Ray
From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> Reply-To: Mailing list for discussion of Firewall-1 <[email protected]> To: [email protected] Subject: Re: [FW-1] Problems with VPN connection from internal network Date: Mon, 28 Feb 2005 12:45:10 +0100
you are right. I had to change the VPN domain as well as the toplogy on the FW-1 enforcement module. To get the VPN tunnel running and to prevent anti-spoofing drops.
Thanks Nik
Ray wrote:
How is the Edge box defined in the toplogy of the R55 box? Is it there at all? If so, try changing your VPN domain for the R55 to a group with exclusion and exclude just the external interface of the Edge box.
If the R55 box knows about the Edge box in its topology, you might be having some anti-spoofing drops.
Ray
From: [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 <[email protected]> To: [email protected] Subject: [FW-1] Problems with VPN connection from internal network Date: Fri, 25 Feb 2005 14:13:48 +0100
Hello
I need to create a VPN-tunnel from the internal network to the FW-1 machine. This is to tunnel an internal subnet (i.e WLAN) directly into the internet, without touching the internal one.
My setup is the following: - Check Point FW/VPN (NG AI R55): external IP 172.17.1.53, internal IP 192.168.1.1 - Management with SmartCenter: 192.168.1.2 - VPN-1 Edge Box: 192.168.1.51
I need to create a tunnel from the Edge Box to the Check Point Firewall, so that all machines connecting behind the Edge Box are directly tunnelled into the internet.
I managed to do the scenario where the Edge Box is in the internet. But now putting the Edge Box into the internal net, the VPN tunnel cannot be established. On the Edge Box I connected to a service-center where had to give the IP address of the Management Machine (normally, the IP address of the firewall should be defined). The connection to the Management over SWTP worked fine, however I was not able to bring up a VPN tunnel. Here the error messages I got:
On the Edge Box: VPN Tunnel with 192.168.1.2 no respons from peer
On SmartView Tracker: IKE: Main Mode Sent Notification to Peer: invalid id VPN-1 Edge: failed to establish VPN Tunnel with gateway
While sniffing, I saw that the Edge Box is trying to set up the tunnel. I see some IKE messages from the Edge Box to the Firewall, but the Firewall is not answering. Strange is also the Edge Box message with says “VPN Tunnel with 192.168.1.2…” wich is the IP address of the management.
Is there a way that I can tell the Firewall that is should also do IKE on the internal interface? Is it actually possible to do a VPN from the internal network? Any suggestions?
Thanks for your comments Nik
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
