Just because your net C is the encryption domain for that site does not mean that the network will try to encrypt all traffic passing through the FW for site B. Unless... Your site C is seeing the encryption domain for site B being behind site B FW. So when site C net tries for site B net it is trying to do IKE with the endpoint, site B. You could allow this and set your phase 2 to NULL, IKE will still happen but you will not be encrypting the traffic with IPSEC it will be clear text, only authentication and integrity will be checked for this connection. I you do not want any IKE to happen then remove site B from all common communities with site C, if site B is not doing any encryption turn off VPN-1 as an installed product. Make sure you do not have any VPN domain overlap too.
-GS -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Edouard Zorrilla Sent: Friday, December 15, 2006 7:28 AM To: [email protected] Subject: Re: [FW-1] VPN Question Thaks a lot for your repply. MyHost(SiteC) --- EncriptedTrafficIPSec --- SiteA MyHost(SiteC) --- ClearTextIP --- SiteB The SiteB does not belong to any other Community, even though when I try to send traffic to SiteB I got a error that says: "Packet droped since there is no valid SA". The issue is that I have set the source MyHost inside in my VPN Domain manually defined, and for that reason It seems that the Firewall Checkpoint wants to send traffic encripted even to SiteB. I have tried even to include the service to SiteB as a excluded service inside the community that makes the VPN to SiteA, and still I am getting the same error. I will appreciate your help in advance, Best Regards ----- Original Message ----- From: "Christian ALT" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Friday, December 15, 2006 12:57 AM Subject: Re: [FW-1] VPN Question > This is possible. Is site B part of any VPN? > > Did I understand right that your host is in site C. > > If you want a refined answer please detail your configuration. > > > Christian ALT > > Telecom and Logistics Associates > Network Security Company > Security Lead Auditor for ISO 27001 > http://www.tla.ch > Agenda Romand de la formation IT et Securité > http://www.tla.ch/agenda.htm > > > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] On Behalf Of Edouard > Zorrilla > Sent: vendredi, 15. décembre 2006 02:26 > To: [email protected] > Subject: [FW-1] VPN Question > > Hi People, > > I have a host behing a Nokia cluster NGX. I am trying to make a VPN tunnel > so that the same host send IPSec traffic to site A and clear text to Site > B. > Is that possible in checkpoint ? I have working with other devices but in > checkpoint it simply does not work. When I set the tunnel it send all > traffic encrypted even to site B. > > Can anyone help me how to set it ? I will really appreciate, > > Regards > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
