-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dennis Breithaupt <[EMAIL PROTECTED]> wrote: > > Have you checked, that failover works smoothly in your setup without > the vpn-tunnels to have to be reestablished?
I'm really not sure what to tell you that will really convince you. We've run with this setting disabled for a couple of years now. We've seen all sorts of equipment failures, network interruptions, etc, and failover has always worked correctly, all traffic originated with the correct IP's, etc. The Cluster Hide NAT setting just does not have anything to do with any traffic from VPN-1. I am pretty certain it only applies to traffic originated by the firewall's host OS. This means DNS, NTP, and any other traffic that originates from the firewall box itself. > Do even local initiated tunnels source from the VRRP- und not the > physical-IP? Without the specified switch turned on, I could not see > the mechanism, which should control the source-IP to be the VRRP-IP. > That's why I explicitly ask again... The VPN encapsulation is performed by the kernel module, so it can form packets any way that it pleases. It uses the cluster object IP, so packets originate from the cluster IP. IKE negotiations are performed by vpnd, which also originates from the correct IP, probably by binding its socket directly to that IP. > What special manual NAT rules are you talking off? Do you need manual > NAT-rules for your VPN's to work or do you mean arbitrary other > NAT-rules for "other" traffic? Our offices uses private RFC1918 IP's, so we have to use Hide NAT in order to talk to the internet correctly. So we choose to hide that traffic behind the gateway, and since the gateway is the cluster object, the cluster IP is used for this NAT. For inter-office VPN we have selected "Disable NAT within the VPN Community" so there is no NAT within VPN's in our setup. Though I am certain that, if you did use NAT within your VPN, it would still work correctly. The reason I believe this is that VPN traffic does not originate from the firewall itself, but from behind the firewall. Since it does not originate ON the firewall, the Cluster Hide NAT setting would not apply anyway. > I'll discuss this further with our CSP and CP as soon, as I've got > your statements. I would be interested to hear if their experience is different from mine. - -- David DeSimone == Network Admin == [EMAIL PROTECTED] "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFGpriFFSrKRjX5eCoRAqGmAJ48iZ9iTMdDSJYOzb/jogaJ9cCZCACdErvZ lIPg5YqBDdlnQkBuQ+b9fw0= =K2rj -----END PGP SIGNATURE----- ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
