The two firewalls will require a route to the others workstation object ip address.
That is, if the firewall a object contains address x.x.x.x with interfaces
x.x.1.x,x.x.2.x, and firewall b has y.y.y.y as its workstation object ip with
interfaces y.y.1.y, y.y.2.y, the only way the two boxes will vpn between each other
is if firewall a has a valid route to y.y.y.y and vice versa. -Hope I haven't
confused you even more...
CryptoTech
"LIM, Norman" wrote:
> Hello,
>
> I have 2 firewalls on v4 patch 4058 and switched the firewalls to use ISAKMP
> for the VPN instead of FWZ. However, I can only successfully run the VPN by
> taking legal IP. Any attempts to talk illegal IP will either have nothing
> shown in the log or a reject entry saying that the packet is not ISAKMP.
>
> The encryption domains have been set correctly.
>
> If I add the following rules into the beginning of the security policy,
> before the encryption rule,
>
> Firewall-A, Firewall-B, ISAKMP, Accept
> Firewall-B, Firewall-A, ISAKMP, Accept
>
> The VPN does not allow legal IP. Illegal IP continues to be not working.
>
> Do you have any idea what is wrong? Thanks in advance!
>
> Cheers,
> Norman Lim
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
