Did you edit the vpn_route.conf file?
Are all three gateways in the same VPN Community?
Did you create one security rule for both directions?
I know nothing about the IP40s. Is this a centrally managed device? Or is
it considered an exernally managed gw? Is it like a Sofaware box?
Try editing each fw object to have its own respective enc domain. Then edit
the vpn_route.conf file on the mgmt server. The vpn_route.conf file will
update the vpn routing table of the fw gateways (not too sure about the
IP40, though).
Neil Delacruz
On 2/1/06, Aleks Feltin <[EMAIL PROTECTED]> wrote:
>
> Hello again!
>
> I have already tried to do it thru the VPN Routing option while
> configuring community via the SmartDashboard...
> The problem is that Check Point drops the packets on the spoke, saying
> that they belong to the different encryption domains
> Combining 2 or more explicitly created internal_net objects into group
> and placing it as an encryption domain didn't give any positive
> result...it seems that dedicated local network ip acting as an
> encryption domain doesn't satisfy my needs. I believe..one encryption
> domain is not enough on the central gateway..any ideas?
>
> wbr,
>
> Aleks
>
> >What you want to accomplish is totally doable in CP. However, I've never
> >worked with an IP-40, but I have done what you want to do using Star topo
> >and domain-based vpn with regular CP gateways. Choose the VPN routing
> >option on your Star community props ("to center and thru center to
> >satellites"). You can also edit the $FWDIR/conf/vpn_route.conf file if
> you
> >need to route between different communities. Create one rule to cover
> >traffic in both directions. You can even route vpn-client to vpn-client.
> >
> >Check out sk31021. Also read the VPN Routing section of the VPN-1 PDF on
> >your CP media.
> >
> >
> >
> >HTH,
> >
> >Neil Delacruz
> >
> >
> >
> >On 1/25/06, Aleks Feltin <[EMAIL PROTECTED]> wrote:
> >
> >
> >>Hi folks!
> >>
> >>I am looking for your help , wchich could be a solution to my issue.
> >>I'm building a site-to-site VPN between 3 gateways. Gateways
> >>authenticate each other using the pre-shared key. Different VPN-1
> >>versions are used with management installed on each. There is also one
> >>Nokia IP-40 embedded device.
> >>
> >>Communication between IP-40 and NGX works just perfectly, although this
> >>is not enough. To complete the goal node in LAN-A should access
> >>resources in LAN-B and vice versa.
> >>Check Point VPN guide offers 2 ways how to implement VPN routing - based
> >>on the VPN domain or using the OS routing. I believe the latter is much
> >>more harder.
> >>My first question is which one could be easier to use, and where i could
> >>find some step by step guides according the similar topology?
> >>Additionally, sharing your experience is appreciated!
> >>
> >>Here is an information about topology:
> >>
> >>VPN Domain A -- 192.168.11.0/24
> >>|
> >>|
> >>[ 192.168.11.1 ]
> >>Firewall A (IPSO/R55W)
> >>[ 10.0.5.2 ]
> >>|
> >>|
> >>External Network -- 10.0.5.0/24
> >>|
> >>|
> >>switch ----- 10.0.5.1 Central Gateway (IPSO/NGX)
> >>|
> >>|
> >>External Network 10.0.5.0/24
> >>|
> >>|
> >>[ 10.0.5.4 ]
> >>Firewall B (Nokia IP-40 embedded device)
> >>[ 192.168.10.1 ]
> >>|
> >>|
> >>VPN Domain B -- 192.168.10.0/24
> >>
> >>I hope to get some helpful answers, also i am ready to supply you with
> >>additional information if needed.
> >>with best regards,
> >>
> >>Aleks
> >>
> >>=================================================
> >>To set vacation, Out-Of-Office, or away messages,
> >>send an email to [EMAIL PROTECTED]
> >>in the BODY of the email add:
> >>set fw-1-mailinglist nomail
> >>=================================================
> >>To unsubscribe from this mailing list,
> >>please see the instructions at
> >>http://www.checkpoint.com/services/mailing.html
> >>=================================================
> >>If you have any questions on how to change your
> >>subscription options, email
> >>[EMAIL PROTECTED]
> >>=================================================
> >>
> >>
> >>
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages,
> >send an email to [EMAIL PROTECTED]
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >[EMAIL PROTECTED]
> >=================================================
> >
> >
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
