All, This was a very useful doc. When I was trying to setup a site-to-site VPN and noticed that the VPN tunnel was failing on the IKE renegotiation after the timeout had expired. To make a long story short, this document *not* found in Checkpoint's Knowledge Base, helped me get the VPN up and running. I hope this contributes to someone who has similar issues.
Regards, Shane Source Address Determination Overview Interface resolving aids in determining the appropriate IP of a VPN peer. Likewise, source address determination ensures the IP used by a gateway, makes sense according to the specific VPN peer that you are communicating with. This ability is necessary when VPN's are terminated to multiple interfaces of a gateway for the following reasons: 1. If a peer begins an IKE exchange using one IP for the destination module, and the response is sourced from a different IP, this could cause the peer to reject the response. Yet another outcome is the IKE Initiator will finish the exchange, but with the new IP of the peer. This may seem harmless, but can have serious consequences. For instance, assuming the second IP injected into the exchange is not routable back to the module, communication will fail. 2. If the IP in response packets differs from what the Initiator is using for the module, this may be blocked by security devices between the communicating peers. This is due to the fact that the gateway will route return packets via the appropriate exit interface, according to the direction of the remote peer. In other words, the IP used as the source differs from the IP of the exit interface. If there are devices performing anti-spoofing capabilities between the peers, they will likely drop such packets. Parameters NOTE: All parameters are held per Check Point Network object, and are editable via dbedit. Default Cluster Parameter Definition IPSec_cluster_nat only present for cluster objects, forces a response from a defined cluster IP (true) IPSec_orig_if_nat present for cluster and module objects, forces a response from the IP/cluster IP that was initiated to (true) IPSec_main_if_nat present for cluster and module objects, forces a response from the IP on the general tab of the relevant firewall(ed) object (false) Individual usage -IPSec_cluster_nat- With just this parameter enabled, the cluster will respond from one of the cluster IP's defined on the cluster object. Thecluster IP used, will be that which is associated with the exit interface. Therefore, the response IP is not that necessarily that which is represented on the general tab IP, but will be a cluster IP. -IPSec_orig_if_nat- With just this parameter enabled, the gateway will respond from the IP/cluster IP that was initiated to by the VPN peer. Using this parameter, there is no chance that the gateway will begin using a different IP, thus causing communication issues. -IPSec_main_if_nat- This parameter, when used alone, will always respond from the IP on the general tab of the gateway object. This is true even if the gateway object is a member of a cluster, and thereby present in a cluster object. Combined usage -IPSec_cluster_nat & IPSec_orig_if_nat- When both of these parameters are enabled (which is the default for cluster objects), the behavior closely resembles having IPSec_cluster_nat activated only. The difference is, if the exit interface uses a different cluster IP than what was initiated to, response packets will continue to use the cluster IP as communicated by the peer initially. -IPSec_cluster_nat & IPSec_main_if_nat- With this combination, the gateway will respond to clients according to the IP listed on the general tab of the corresponding object. In the case of a cluster, the IP on the general tab of the cluster object is used. In case of a single gateway, it will be the physical IP as represented on the general tab. -IPSec_main_if_nat & IPSec_orig_if_nat- This combination results in orig_if_nat overriding the main_if_nat property. The end result is the same as if IPSec_orig_if_nat property were enabled only. All parameters disabled With all relevant properties disabled, this will result in a module responding from the physical IP of the exit interface, regardless if it is a member of a cluster. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
