If I recall correctly you need a rule handling the applicable source/dest/service combo, and the "If Via" column should specify the VPN community that you want the traffic to go through.
Also note prior discussions about X traffic not being included in "Any." HTH :) ----- Original Message ----- From: "Ueckert, Samuel D." <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, January 16, 2003 9:30 AM Subject: Re: [FW-1] SecureClient VPN + Hummingbird Exceed, NG FP3 I have gleaned some additional info from packet capture: No traffic initiated from the private network with a destination of the Office Mode clients is being encrypted. It is instead going out the firewall in the clear and being NAT'ed. I am using 'Simplified' mode for VPN's on the VPN-1 box. I do not have an option of 'Client Encrypt' for actions in the 'Security-Standard' rules, even if I turn off 'Simplified' mode. How do I specify that traffic bound for the Office Mode IP pool should be encrypted and sent over the tunnel? -----Original Message----- From: Ueckert, Samuel D. [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 9:42 AM To: [EMAIL PROTECTED] Subject: [FW-1] SecureClient VPN + Hummingbird Exceed, NG FP3 Hi, I am currently running a test network to evaluate whether Checkpoint NG will meet our VPN needs. Our goal is to run X sessions across a SecureClient VPN using Exceed. The VPN forms without any trouble, and I can access network resources on the protected network across the tunnel. I can ping the VPN client machine from the Unix host, and vice versa. I have Desktop Security essentially wide open, and I can initiate various sessions (FTP, for example) inbound to the machine running SecureClient from the protected network across the tunnel. When I attempt to initiate any X session (xterm, for example) across the tunnel, I get an error: "Xt: Can't open display 192.168.2.1:0.0" (the Office Mode address of my VPN client). I have tried with and without Office Mode enabled, and neither worked. The Exceed configuration is a 'known good' one; I can patch the client machine down on the protected network and connect just fine. I also tried connecting to the host machine across a router, without any firewalls between the client and the host, without running SecureClient, and connected just fine, so I am confident that the problem involves SecureClient. The test network is as follows: The client machine is running SecureClient NG FP3 on Windows XP SP1. Its default gateway is a Cisco router with two Ethernet interface. The router has no access lists or firewall sotware installed. The Exceed version on the client is 7.0 The other Ethernet interface of the Cisco connects to the external interface of the FW-1/VPN-1 gateway. It is running NG FP3 on Solaris 8. It's default gateway is the Cisco router. It NAT's (hide mode) between the internal network and the external network. The Unix host machine that I am connecting sits on the internal network behind the FW-1/VPN-1, and uses the FW-1 as it's gateway. It is also a Solaris 8 box. The Cisco router in this test network only exists so that the client machine and the FW-1/vpn-1 box don't have addresses on the same network, which is forbidden for Office mode. Any help you can lend would be appreciated. Best Regards, Sam Ueckert. ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= Disclaimer - 01/16/2003 This information in this email is confidential and may be legally privileged. It is intended solely for Mailing list for discussion of Firewall-1. Access to this Internet email by anyone else is unauthorized. EnvestnetPMC, Inc. does not accept time-sensitive transactional messages, including orders to buy and sell securities, account allocation instructions, or any other instructions affecting a client account, via e-mail. If you are not the intended recipient of this email, any disclosure, copying, or distribution of it is prohibited and may be unlawful. If you have received this email in error, please notify the sender and immediately and permanently delete it and destroy any copies of it that were printed out. When addressed to our clients, any opinions or advice contained in this email is subject to the terms and conditions expressed in any applicable governing EnvestnetPMC terms of business or agreements. ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
