Hi Dimitris,
Just a thought, verify that NIC-A & B (1.2.3.4/5.6.7.8) are NOT included in CP's own encryption domain Regards Andrew CSC Computer Sciences Limited Registered Office: Royal Pavilion, Wellesley Road, Aldershot, Hampshire, GU11 1PZ, UK Registered in England No: 0963578 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Chontzopoulos Dimitris <[EMAIL PROTECTED]> Sent by: Mailing list for discussion of Firewall-1 <[email protected]> 19/03/2008 14:10 Please respond to Mailing list for discussion of Firewall-1 <[email protected]> To [email protected] cc Subject Re: [FW-1] Multiple External Interfaces and IPSec VPN Tunnels - How to *force* a specific NIC for a VPN Tunnel Hello Matthew, Well, I tried what you suggested and it just won't work!!! I'm having multiple headaches right now...!!!...!!! I've tried routing the Remote Encryption Domain to: - NIC-B directly - The Router of NIC-B - Both the 2 above at the same time The settings I'm currently using are the following: Traditional Mode Configuration Global Properties, VPN, Advanced, "Enable VPN-1 gateway to calculate statically..." IPSec_orig_if_nat (true) IPSec_main_if_nat (false) Routing the VPN Domain to the Router of NIC-B Default Gateway on NIC-A Please help!!! Kind regards, Dimitris -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Chontzopoulos Dimitris Sent: Wed, 20 Feb 2008 13:36:21 +0200 To: [email protected] Subject: RE: [FW-1] Multiple External Interfaces and IPSec VPN Tunnels - How to *force* a specific NIC for a VPN Tunnel A quick workaround for this should be to add a route for the remote encryption domain to the firewall to go via the gateway on NIC B. The routing engine on the Check Point will try and route the packet before it actually performs the encapsulation. The results in Check Point incorrectly stamping the source of the encapsulated packet as the NIC with the default gateway set. Just add a normal static route to the remote encryption domain (not just the remote peer) to go via your router on NIC B. If that doesn't work, we will have to investigate other options. Cheers Matthew -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Chontzopoulos Dimitris Sent: Wednesday, February 20, 2008 13:13 To: [email protected] Subject: [FW-1] Multiple External Interfaces and IPSec VPN Tunnels - How to *force* a specific NIC for a VPN Tunnel Hello there guys, I've searched as much as I could, but, wasn't able to find a *solid* response to the question: On Check Point NG R55W AI, can someone *force* a VPN Tunnel to be established on a specific External Network Interface Card? As you imagine, we have a Check Point NG R55W AI with 2 NICs on 2 different Switches, connected onto 2 different Routers, connected onto 2 different ISPs. CP -------- ISP-A (CP NIC-A: 1.2.3.4) | | | ISP-B (CP NIC-B: 5.6.7.8) NIC 1.2.3.4 is the one used in the Firewall-Object-Properties and where the License resides. We want to establish the VPN (Interoperable Device, NOT Check Point Firewall) on NIC 5.6.7.8. What's happening is that we do send IKE Packets from NIC-B to the other side and when IKE Phase 1 is about to complete, the Firewall on the other side complaints that the IP Addresses do not match for the IPSec Tunnel. In other words, even though the initiated by NIC-B IKE connection is correct, when IKE Phase 1 is about to complete, the IP Address within the Payload WE send, is not for NIC-B, but, for NIC-A... The actual message we get back from the other side is this: IKE: Phase 1 Received Notification from Peer: payload malformed I have tried the following: - Policy, Global Properties, VPN, Advanced, "Resolving Mechanism", Enable dynamic interface resolving per gateway (must be defined per gateway) - (then on the Gateway object) VPN, VPN Advanced, Dynamic Interface resolving configuration..., Enable dynamic resolution by peer VPN-1 gateways, Upon tunnel initialization - Using GUIDBEdit, changed the following: * IPSec_orig_if_nat from *true* to *false* * IPSec_main_if_nat left as *false* Some facts: - Our Firewall is an NG R55W AI, HFA04, Hotfix011, Build 004 - The VPN Module is an NG R55W AI, HFA04, Hotfix011, Build 003 - The other Firewall is an Astaro something... - We're running Traditional Mode Any ideas, comments, remarks? Any help is greatly appreciated!!! Cheers, Dimitris ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
