All,
I have run into a
customer situation where they require Encryption on more than one
External
Interface.
Basically they have an extranet that requires encryption on one
interface,
and want to use
Securemote on another interface.
The management is a
1-U pizza box style server, and the enforcement points
are a pair of Nokia
IP440's running VRRP (IPSO 3.5fcs7).
We originally
installed it using SecurePlatform on the Management console,
and as far as I
remember, it worked, using Site to Site VPN on one
interface,
and Securemote to
another interface.
We had to reload the
management server due to some limitations of Secure
Platform,
and once we did
that, Encryption broke on the Internet Interface (basically you
could
only encrypt to the
Interface IP that was in the Cluster Object's IP Address
field.)
The management
server was reloaded with Red Hat 7.2 and was fully
functional,
except for the
ability to encrypt on multiple interfaces, which the customer
requires.
We went back and
reloaded the Management today with SecurePlatform FP2, but
got the same results
(no encryption on 2nd external IF)
Nokia and Checkpoint
claim that Firewall-1 is designed that way, but there was a
workaround
in 4.1 that doesn't
work in NG (setting the Cluster and FW objects "IPSec_main_if_nat" to
True
from
False).
If anyone has any
light they can shed on this, it would be greatly
appreciated.
Thank
you.
Scott Friedman
Security Engineer
Advanced Network Solutions
1750 S. Telegraph Rd Suite
100
Bloomfield Hills, MI 48302
(248) 857-5526 x132
