1. Why not all traffic are allowed through a tunnel while "Accept all
encrypted traffic" is checked in a community settings ?(for example
ping, ssh are get encrypted while ftp is not, so only explicit rule
allowing ftp helps.
You have a community default rule, and FTP does not get encrypted? Do you
have FTP excluded in the VPN Community properties?
2. Why the traffic between gateways(not VPN domains behind them)
checkpoint expects to be encrypted and if I try to ping peer gw from
SPLAT console tracker reports "no valid SA" ?
Everything between the gateways must be encrypted unless you explicitly
exclude a service from being encrypted (I usually do this for ssh and
https). You can send encrypted pings, however. Int he Global Properties,
move the "Accept ICMP" to "Before Last" instead of "First" and have an
explicit VPN rule to allow the ICMPs ("ANY" as service in a VPN rule will
also work). Similar situation for Accept DNS Queries in global props.
Anything set to "First" will be checked before your first explicit rule. The
encrypted traffic (not FW-1 control connections) must pass through a rule
with a VPN community set in the VPN column. If it is checked before the
first rule, it will never reach the explicit VPN rule (or a default
community rule).
3. And eventually why Smart View Monitor reports "No data" in "Tunnels
on community" and "Tunnels on gateway" sections while vpn main page
shows that the tunnel is up and I can see encrypted/decrypted packets
counters growing ?
What do you mean by the VPN main page? Do you mean the section "VPNs" under
"Gateway Status?" The general Gateways view works more like SNMP, while the
more detailed views use the CPD_amon (18192) -- recognized by CP gateways
and OPSEC partner gateways. The gateway must act like an AMON server (mgmt
server is the AMON client) in order to get all CP status checks.
Hope this helps,
Neil Delacruz
On 9/23/05, Andrey Maluck <[EMAIL PROTECTED]> wrote:
>
> Hi all.
> I have a few questions regarding simplified site to site VPN between
> SPLAT NGX and Planet VRT311:
> 1. Why not all traffic are allowed through a tunnel while "Accept all
> encrypted traffic" is checked in a community settings ?(for example
> ping, ssh are get encrypted while ftp is not, so only explicit rule
> allowing ftp helps.
> 2. Why the traffic between gateways(not VPN domains behind them)
> checkpoint expects to be encrypted and if I try to ping peer gw from
> SPLAT console tracker reports "no valid SA" ?
> 3. And eventually why Smart View Monitor reports "No data" in "Tunnels
> on community" and "Tunnels on gateway" sections while vpn main page
> shows that the tunnel is up and I can see encrypted/decrypted packets
> counters growing ?
> Any help is appreciated.
>
> Thanks,
> Andrey.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
