The encryption domains do not overlap at all but both firewall have 2 interfaces in two different shared network (management and internal) and the inmternal network in the encryption domain of FW1 not FW2, but when those ip addresses try to access to FW2 and its encrypytion domain (encrytiondomain2) we get the error from rule 0 sayin that those packets need to be encrypted...
-----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Hugo van der Kooij Sent: Tuesday, August 28, 2007 9:14 PM To: [email protected] Subject: Re: [FW-1] VPN problem - encryption domain confusion beetween 2 firewalls On Tue, 28 Aug 2007, no-need to-list wrote: > VPN domain cannot overlap, unless you are using all these firewalls in a cluster mode such as clusterXL. whatver network segements you have in encrydoamin1 should not exist in encryption2, tis is the cleanest way to do it. If you really need to overlap networks segment then you need to do some fancy NAT(network address translation) and most of the problems are usually routing or nat or both. Or look into the concept of MEP. It allows multiple firewalls under common management to share the encryption domain and allow the user or admin to determine through which gateway you can enter the network. Hugo. -- [EMAIL PROTECTED] http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for this quote of George Bernard Shaw.) ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= This message and attachments are confidential and intended solely for the individual(s) stated in this message. If you received this message although you are not the addressee, you are responsible to keep the message confidential. The sender has no responsibility for the accuracy or correctness of the information in the message and its attachments. Our company shall have no liability for any changes or late receiving, loss of integrity and confidentiality, viruses and any damages caused in anyway to your computer system. Bu mesaj ve ekleri, mesajda gonderildigi belirtilen kisi/kisilere ozeldir ve gizlidir. Bu mesajin muhatabi olmamaniza ragmen tarafiniza ulasmis olmasi halinde mesaj iceriginin gizliligi ve bu gizlilik yukumlulugune uyulmasi zorunlulugu tarafiniz icin de soz konusudur. Mesaj ve eklerinde yer alan bilgilerin dogrulugu ve guncelligi konusunda gonderenin ya da sirketimizin herhangi bir sorumlulugu bulunmamaktadir. Sirketimiz mesajin ve bilgilerinin size degisiklige ugrayarak veya gec ulasmasindan, butunlugunun ve gizliliginin korunamamasindan, virus icermesinden ve bilgisayar sisteminize verebilecegi herhangi bir zarardan sorumlu tutulamaz. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
