As long as they are within the encryption domain at the customer's, traffic
to your encryption domain will be outside the tunnel because the computer
knows such a route exists.
Enable Hub Mode on the gateway (allow SecureClient to route traffic through
the gateway) and also enable it on SecureClient, prefearbly through a remote
access connection profile (the easy way).
Hub Mode sets a new default route on the laptop to force ALL traffic down
the tunnel regardless of whether it is headed to the encryption domain or
not. This can have some side effects, such as it really disables split
tunneling and denies access to local LAN resources unless they can be
reached by the gateway, but it should do what you want.
Note that there were some issues with Hub Mode that got fixed in
SecureClient NGX.
Ray
From: Marcus Hess <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: [FW-1] Secureclient sends unencrypted
Date: Mon, 14 Nov 2005 10:48:32 +0100
Hello,
We experience a rather strange phenomenon for a while here. It's been like
that with NG, and now we're using NGX, and the problem still remains the
same.
Imagine the following setup:
Our internal net: 172.19.0.0/16
CustomerA net: 192.168.0.0/24
Let's imagine our firewall has 3 interfaces: Ext (to Internet), Int (to
172.19.0.0/16) and Cutomers (to 172.21.0.0/16).
We have a cisco router on the customer net with the IP 172.21.0.2.
We have a static route on the firewall that maps the net 192.168.0.0/24
(CustomerA) to the gateway 172.21.0.2 (the cisco router, which then NAT's
the internal adresses and dials out to the customer via ISDN).
The CutomerA net is part of our encryption domain in order to enable our
service personnell to reach the cutomer's site via client VPN (Service
Personnell->VPN to our net->Reach CustomerA site via the ISDN over the
Cisco).
Now, when our service personnell is located at the CustomerA, inside that
customer's net, the issues start.
Since our service man has an IP Address that is within the encryption
domain, but uses the CompanyA networt to access the internet, the
secureclient gets confused and, after establishing communication with our
firewall, tries to send the encrypted packets to the Customers interface
(172.21.0.1, the IP of our firewall in that net). This is understandable,
though not really desired.
So we called our checkpoint service people and they told us to turn on
Visitor Mode, since that mode will cause the SecureClient to _always_
connect to the firewall's external interface.
We tried, but now the real phenomenon started:
The client connects correctly to the external interface of the firewall.
All traffic to the encryption domain leaves the client computer _outside
the
tunnel_, meaning, not encrypted.
So, we have an established tunnel, but it doesn't get used.
We ran out of ideas what we could do about it.. Maybe you got something to
try..
By the way, we can not NAT the customer net to another network (so the
encryption domains would no longer collide), because some of the software
we
are forced to use (Siemens Simatic S7 net) reacts quite allergical when the
ip it connects to is not the ip that's configured in the destination device
(it does that check and with the next update, it would update the device
with the ip address configured in the client program, which would be the
NAT'd one and therefore quite wrong..).
Also, doing the firewall connect via the ISDN line is not really an option,
because ISDN is quite slow, our router does NAT and therefore hides the
firewall from the clients and the customer's routers are set up so they
accept calls, but do not dial our site on demand.
I know, it's a bit complicated.. :)
Here's the entire path again.. Tho I doubt it makes it any more clear,
hehe.
The goal is to have a ISDN service connection to the customer which we also
can access wia SecureClient VPN for our service people, and at the same
time, be able to use SecureClient to connect to out network when we are
inside the network of the customer.
172.19.0.0/24-----------(172.19.0.1)[OUR FIREWALL, ALSO WITH
INTERNET](172.21.0.1)-------(172.21.0.1)[CUSTOMER-ROUTER](dynamic)----ISDN--
-(dynamic)[ROUTER OF THE
CUSTOMER](192.168.0.2)---------(192.168.0.0/24)---------(192.168.0.1)[CUSTOM
ER's FIREWALL]-------Internet
Best regards,
Marcus
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
