VPN domain cannot overlap, unless you are using all these firewalls in a cluster mode such as clusterXL.
whatver network segements you have in encrydoamin1 should not exist in encryption2, tis is the cleanest way to do it. If you really need to overlap networks segment then you need to do some fancy NAT(network address translation) and most of the problems are usually routing or nat or both. . ----- Original Message ---- From: Cihan Subasi <[EMAIL PROTECTED]> To: [email protected] Sent: Monday, August 27, 2007 6:21:32 AM Subject: Re: [FW-1] VPN problem - encryption domain confusion beetween 2 firewalls hi all, we have 2 firewalls managed by the same management , fw1 is our public vpn peer that we usually use for internet vpns and has an encrytion domain Ecnrytiondomain1, now we need to do another vpn from FW2 to FW3 over internet again. But as soon as we select VPN under the check point products windows and assign an encrytion domain and install FW2, the access of the ip addresses that are in the FW1's encrytion domain (encrytiondomain1) loses the connectivity (access) to FW2. We have tried to create a group with exclusion, we tried empty encryption domian for FW2 none of them worked for us. when an ip address that is for of the FW1's encryption domain accesses with telnet ssh or icmp to FW2, in the logs we see a DROP with "clear text message, packet must be encryted" messages... Any clue or idea why this is happening. thanks *********************************************************** Cihan SUBASI Garanti Technology Internet ve Yazilim Hizmetleri Tel:(90)(212)4783426 GSM:(90)(533)(2750353) Fax:(90)(212)6576150 http://www.garantitechnology.com <http://www.garantitechnology.com/> mailto:[EMAIL PROTECTED] Success is a wonderful thing, but never underestimate the value of failure. Failure teaches many more things than success ever can. *********************************************************** This message and attachments are confidential and intended solely for the individual(s) stated in this message. If you received this message although you are not the addressee, you are responsible to keep the message confidential. The sender has no responsibility for the accuracy or correctness of the information in the message and its attachments. Our company shall have no liability for any changes or late receiving, loss of integrity and confidentiality, viruses and any damages caused in anyway to your computer system. Bu mesaj ve ekleri, mesajda gonderildigi belirtilen kisi/kisilere ozeldir ve gizlidir. Bu mesajin muhatabi olmamaniza ragmen tarafiniza ulasmis olmasi halinde mesaj iceriginin gizliligi ve bu gizlilik yukumlulugune uyulmasi zorunlulugu tarafiniz icin de soz konusudur. Mesaj ve eklerinde yer alan bilgilerin dogrulugu ve guncelligi konusunda gonderenin ya da sirketimizin herhangi bir sorumlulugu bulunmamaktadir. Sirketimiz mesajin ve bilgilerinin size degisiklige ugrayarak veya gec ulasmasindan, butunlugunun ve gizliliginin korunamamasindan, virus icermesinden ve bilgisayar sisteminize verebilecegi herhangi bir zarardan sorumlu tutulamaz. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ____________________________________________________________________________________ Luggage? GPS? Comic books? Check out fitting gifts for grads at Yahoo! Search http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
