>>> On 12/3/2009 at 1:19 AM, pkc_mls <[email protected]> wrote: > a bv a écrit : >> They wanted me to add a access rule for both ways between that host at >> LAN and whole DMZ subnet for ESP protocol group. At the host sides >> the owners ( other people from mycompany ) applied ipsec on the hosts >> as i know. Can you explain in detail for statement inwriting ? >> Regards > Sounds really strange. > As someone already mentionned on the list, you need either 2 gateways or > one gateway and one vpn client for IPSEC. > > if the device in between has already some vpn connection, > it can be quite hard to have ike or esp go through. > > if the need is to secure traffic between a DMZ and the LAN, what's the > benefit of having already a firewall in between ?
I don't know what everyone is getting so worked up about. It's perfectly legitimate for two hosts to speak IPsec between them. Transport mode IPsec, anyone? IPsec is a peer-to-peer protocol. You can just open up IP protocol 50 (ESP) and 500/udp bidirectionally for the hosts or networks in question. Doesn't Check Point have an "IPSEC" service group object for this that comes predefined? Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
