Hi,
after converting from traditional to simplified VPN mode, NGX R60
tries to establish an IPSec SA from the local encryption domain to
the external address of the remote gateway as soon as the gateway
is addressed by packets from the internal networks. A number of
gateways (especially Linux based interoperable devices) will not
accept this SA unless it is explicitely configured, which isn't
always possible. As a result, the gateway is no longer reachable
from the internal networks...
Why is NGX doing this? The Remote gateway has an encryption domain
defined and this address is *NOT* a member of this domain, so it should
not be used in an SA establishment. If I wanted it to be a member of
the encryption domain, I could configure it this way (using groups),
so there is no sense in doing it automatically.
Basically, the question is - how to get rid of it? I haven't found
anything fitting in GuiDBEdit, either (where you e.g. would find the
almighty ike_use_largest_possible_subnets to get rid of another specific
misbehavior).
TIA,
Andre.
--
.sig making fun of Santa Claus Operation currently unavailable
-> Andre Beck +++ ABP-RIPE +++ IBH Prof. Dr. Horn GmbH, Dresden <-
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
