[FW1] VPN on two external FW-1 interfaces

Fri, 11 May 2001 05:37:06 -0700 


/***************
I apologize for submitting this message again, but my subscription to the mailing list 
"did not take" this morning, and I may have missed some of your replies.  I would be 
very grateful for any reposts.
******************/

I have FW-1 version 4.1 build 41489 running on Solaris 2.6.  I have two Internet feeds 
running into this firewall.  I also have VPN tunnels terminated on the primary 
interface (ie: the IP address in the firewall object's main window).  The remote VPN 
devices are a mix of FreeSWAN and Instant Internet VPN appliances.  I am using ISAKMP, 
MD5, Single DES, and pre-shared secrets for the VPN tunnels.

Due to link utilization issues, I would like to run some, but not all, of my VPN 
traffic on the second Internet feed.  So, I created another gateway object (not a FW-1 
object) that is identified by the IP address of the secondary Internet feed, with an 
encryption domain of the internal network, which is the same encryption domain (same 
Network object) used by the primary FW-1 object.  

The VPN tunnel comes up and session keys are negotiated using the IP address of the 
secondary Internet feed on the firewall.  The problem is that the firewall then 
proceeds to use the primary interface to send VPN data to the remote.  The remote 
rejects it, of course, since it does not have a VPN session established with that 
particular IP address.  However, if the remote sends encrypted traffic to the 
secondary address of the firewall, the traffic is decrypted, and forwarded to the 
ultimate destination on the internal network.  This has been confirmed by examining 
logs and protocol traces.

The question is: is there a fix that will allow the firewall to encrypt on two 
external interfaces concurrently?  Is this a configuration issue, or is there a 
software patch?


Thank you in advance for everyone's help.

Regards,


Greg Chandler
Systems Engineer
Williams Communications
403-735-6613




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to