Hey, Well resetting sic as this will be managed from a new firewall manager, and to complicate things all interfaces configured are on a 10.x along wit the cluster ip. So to manage this from our network we have to change the management interfaces to our address on the firewall policy object, the other side of the vpn sees and communicates site to site to this cluster ip 10.x, my thinking is change the modules and cluster ip to our address just on the policy firewall object not hardware, and leave the rest,this is because when we communicate to the ips of the modules they get natd to the 10.x however the other vpn sees it as a 10.x so when we do sic and push a new policy my guess this will conflict, or the fact our ips say are 28.x but are then seen coming across as 10.x, or does the firewall object have to match exactly what the interface are on the physical boxes, as you can gather a bit of a nightmare, hope this makes sense and yup could do with some practical advice on how best to achieve this with the same vpn set up but a different management set up
On Thu, 02 Jun 2011 07:15 BST Independent IT Consultant wrote: >If doing an upgrade_export / upgrade_import, it won't be an issue. If a sic >reset or new ICA is involved, then yes, you cannot. > >Why are you resetting SIC? > >On Tue, May 31, 2011 at 12:52 PM, Peter Addy <[email protected]> wrote: > >> Thanks, would I be correct in saying that you cannot use the same vpn >> certificate for the same vpn, where only the manager smart centre is >> changing? >> >> On Tue, 24 May 2011 17:28 BST David DeSimone wrote: >> >> >Gary Scott <[email protected]> wrote: >> >> >> >> VPN's would break right away, as soon as you reset SIC the initial >> policy is >> >> loaded >> > >> >One presumes that you would not reset SIC until you are just about to >> >install the new policy. >> > >> > >> >> ________________________________ >> >> From: David DeSimone <[email protected]> >> >> To: [email protected] >> >> Sent: Tue, May 24, 2011 8:55:28 AM >> >> Subject: Re: [FW-1] vpn and manager >> >> >> >> VPN's would not break right away. The gateways are in the habit of >> >> pre-loading the CRL every 2 hours, so they should have a recent copy of >> >> it whenever they need it; the problem is that the expiry lifetime of the >> >> CRL is 24 hours at best, which is why that is the maximum time you have >> >> to establish new SIC and install a new policy. >> >> >> >> There is no way to avoid using certificated-based authentication for >> >> internally-managed gateways, I believe. It is not an available option >> >> to use pre-shared secrets, except with externally-managed peers. >> >> >> >> >> >> Peter Addy <[email protected]> wrote: >> >> > >> >> > Thanks, now to add a further spin! What if the manager changed and sic >> >> > was established with another manager, would the vpns break instantly >> >> > or not until a new policy was pushed from the new manager? Basically I >> >> > assume there is no real way to keep a vpn intact and hardly any down >> >> > time if a ne manager was deployed changing the vpn from cert to pre >> >> > shared key, cheers >> >> > >> >> > >> >> > On Tue, 24 May 2011 01:34 BST David DeSimone wrote: >> >> > >> >> > >Since we just recently had this happen to us on our network, I can >> >> > >confirm that this is exactly what happens. >> >> > > >> >> > >Certificate-based VPN's will fail within 24 hours due to the >> gateways' >> >> > >inability to load the CRL. >> >> > > >> >> > >Pre-shared secret VPN's will continue to operate, presumably >> >> > >indefinitely. >> >> > > >> >> > > >> >> > >Independent IT Consultant <[email protected]> wrote: >> >> > >> >> >> > >> It greatly depends on the *type* of VPN. If using certificates >> (such >> >> > >> as with Edges or other gateways that are centrally managed), then >> >> > >> the limiting factor is the CRL expiration on the ICA, which is, by >> >> > >> default, 24 hours. In this case, tunnels that can't validate their >> >> > >> certificates will fail after that CRL timeout period. Remember, >> >> > >> it's 24 hours after the last CRL refresh, not necessarily 24 hours >> >> > >> after the SMC went down. With VPNs to external gateways using >> shared >> >> > >> secret, they may work indefinitely, but I wouldn't guarantee it. >> >> > >> >> >> > >> >> >> > >> On Mon, May 23, 2011 at 12:45 PM, Peter Addy <[email protected]> >> wrote: >> >> > >> >> >> > >> > Curious, Does anyone know how long would vpn's continue to work >> if a >> >> > >> > smartcenter was down and not available for ? And if they do stop >> why >> >> > >> > is this so, or do they simply continue to run but changes not can >> be >> >> > >> > made until the manager was restored? Thanks >> > >> >-- >> >David DeSimone == Network Admin == [email protected] >> > "I don't like spinach, and I'm glad I don't, because if I >> > liked it I'd eat it, and I just hate it." -- Clarence Darrow >> > >> > >> >This email message is intended for the use of the person to whom it has >> been sent, and may contain information that is confidential or legally >> protected. If you are not the intended recipient or have received this >> message in error, you are not authorized to copy, distribute, or otherwise >> use this message or its attachments. Please notify the sender immediately by >> return e-mail and permanently delete this message and any attachments. >> Verio, Inc. makes no warranty that this email is error or virus free. Thank >> you. >> > >> >Scanned by Check Point Total Security Gateway. >> > >> >================================================= >> >To set vacation, Out-Of-Office, or away messages, >> >send an email to [email protected] >> >in the BODY of the email add: >> >set fw-1-mailinglist nomail >> >================================================= >> >To unsubscribe from this mailing list, >> >please see the instructions at >> >http://www.checkpoint.com/services/mailing.html >> >================================================= >> >If you have any questions on how to change your >> >subscription options, email >> >[email protected] >> >================================================= >> >> >> Scanned by Check Point Total Security Gateway. >> >> ================================================= >> To set vacation, Out-Of-Office, or away messages, >> send an email to [email protected] >> in the BODY of the email add: >> set fw-1-mailinglist nomail >> ================================================= >> To unsubscribe from this mailing list, >> please see the instructions at >> http://www.checkpoint.com/services/mailing.html >> ================================================= >> If you have any questions on how to change your >> subscription options, email >> [email protected] >> ================================================= >> > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [email protected] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[email protected] >================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
