Hi, I don't have a R55W version anymore so I can't verify it, but in newer versions you can use "Link Selection".
You will find it on your Gateway (Cluster) properties -> VPN -> Link Selection. It will apply to all VPNs terminated on that Gateway. Regards, Torkel > -----Original Message----- > From: Mailing list for discussion of Firewall-1 [mailto:FW-1- > [EMAIL PROTECTED] On Behalf Of Chontzopoulos Dimitris > Sent: Wednesday, February 20, 2008 12:13 PM > To: [email protected] > Subject: [FW-1] Multiple External Interfaces and IPSec VPN Tunnels - How > to *force* a specific NIC for a VPN Tunnel > > Hello there guys, > > I've searched as much as I could, but, wasn't able to find a *solid* > response to the question: > > On Check Point NG R55W AI, can someone *force* a VPN Tunnel to be > established on a specific External Network Interface Card? As you > imagine, we have a Check Point NG R55W AI with 2 NICs on 2 different > Switches, connected onto 2 different Routers, connected onto 2 > different ISPs. > > CP -------- ISP-A (CP NIC-A: 1.2.3.4) > | > | > | > ISP-B (CP NIC-B: 5.6.7.8) > > NIC 1.2.3.4 is the one used in the Firewall-Object-Properties and where > the License resides. We want to establish the VPN > (Interoperable Device, NOT Check Point Firewall) on NIC 5.6.7.8. > > What's happening is that we do send IKE Packets from NIC-B to the other > side and when IKE Phase 1 is about to complete, the Firewall > on the other side complaints that the IP Addresses do not match for the > IPSec Tunnel. In other words, even though the initiated by > NIC-B IKE connection is correct, when IKE Phase 1 is about to complete, > the IP Address within the Payload WE send, is not for NIC-B, > but, for NIC-A... The actual message we get back from the other side is > this: > > IKE: Phase 1 Received Notification from Peer: payload malformed > > I have tried the following: > > - Policy, Global Properties, VPN, Advanced, "Resolving Mechanism", Enable > dynamic interface resolving per gateway (must be defined > per gateway) > - (then on the Gateway object) VPN, VPN Advanced, Dynamic Interface > resolving configuration..., Enable dynamic resolution by peer > VPN-1 gateways, Upon tunnel initialization > - Using GUIDBEdit, changed the following: > * IPSec_orig_if_nat from *true* to *false* > * IPSec_main_if_nat left as *false* > > Some facts: > - Our Firewall is an NG R55W AI, HFA04, Hotfix011, Build 004 > - The VPN Module is an NG R55W AI, HFA04, Hotfix011, Build 003 > - The other Firewall is an Astaro something... > - We're running Traditional Mode > > Any ideas, comments, remarks? Any help is greatly appreciated!!! > > > Cheers, > > > > Dimitris > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
