A quick workaround for this should be to add a route for the remote encryption domain to the firewall to go via the gateway on NIC B. The routing engine on the Check Point will try and route the packet before it actually performs the encapsulation. The results in Check Point incorrectly stamping the source of the encapsulated packet as the NIC with the default gateway set.
Just add a normal static route to the remote encryption domain (not just the remote peer) to go via your router on NIC B. If that doesn't work, we will have to investigate other options. Cheers Matthew -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Chontzopoulos Dimitris Sent: 20 February 2008 01:13 PM To: [email protected] Subject: [FW-1] Multiple External Interfaces and IPSec VPN Tunnels - How to *force* a specific NIC for a VPN Tunnel Hello there guys, I've searched as much as I could, but, wasn't able to find a *solid* response to the question: On Check Point NG R55W AI, can someone *force* a VPN Tunnel to be established on a specific External Network Interface Card? As you imagine, we have a Check Point NG R55W AI with 2 NICs on 2 different Switches, connected onto 2 different Routers, connected onto 2 different ISPs. CP -------- ISP-A (CP NIC-A: 1.2.3.4) | | | ISP-B (CP NIC-B: 5.6.7.8) NIC 1.2.3.4 is the one used in the Firewall-Object-Properties and where the License resides. We want to establish the VPN (Interoperable Device, NOT Check Point Firewall) on NIC 5.6.7.8. What's happening is that we do send IKE Packets from NIC-B to the other side and when IKE Phase 1 is about to complete, the Firewall on the other side complaints that the IP Addresses do not match for the IPSec Tunnel. In other words, even though the initiated by NIC-B IKE connection is correct, when IKE Phase 1 is about to complete, the IP Address within the Payload WE send, is not for NIC-B, but, for NIC-A... The actual message we get back from the other side is this: IKE: Phase 1 Received Notification from Peer: payload malformed I have tried the following: - Policy, Global Properties, VPN, Advanced, "Resolving Mechanism", Enable dynamic interface resolving per gateway (must be defined per gateway) - (then on the Gateway object) VPN, VPN Advanced, Dynamic Interface resolving configuration..., Enable dynamic resolution by peer VPN-1 gateways, Upon tunnel initialization - Using GUIDBEdit, changed the following: * IPSec_orig_if_nat from *true* to *false* * IPSec_main_if_nat left as *false* Some facts: - Our Firewall is an NG R55W AI, HFA04, Hotfix011, Build 004 - The VPN Module is an NG R55W AI, HFA04, Hotfix011, Build 003 - The other Firewall is an Astaro something... - We're running Traditional Mode Any ideas, comments, remarks? Any help is greatly appreciated!!! Cheers, Dimitris ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
