services being allowed in the FireWall-1 Implied Rules are not encrypted through the VPN tunnel!
In order to let services that are allowed in the FireWall-1 Implied Rules to be encrypted through the VPN tunnel, disable these services in the FireWall-1 Implied Rules.
cheers and happy xmas
reinhard
At 18:45 23.12.2003, you wrote:
I'm experiencing some strange behaviour with a NG/AI R55 ClusterXL setup.
There is a Site-to-site VPN community with two participating gateways; the cluster, and one externally managed gateway. Behind the externally managed gateway there are clients on a 10.x.x.x network that are supposed to have access to the management station behind the cluster gateway.
Almost all traffic flows nicely across this VPN tunnel:
10.x.x.x clients can ping the mgmt server, they can logon over ssh and access the https interface on both mgmt server and cluster nodes. However, traffic to the CPMI port is dropped by the cluster gateway with the following explanation in the log:
Service: CPMI Source: 10.x.x.225 Destination: mgmt-server (10.y.y.40) Rule: Information: encryption failure: Different community ID, possible NAT problem (VPN Error code 02)
Anyone got an idea on what might be the cause of this behaviour? I know its not a NAT related problem because there are no NAT rules in place on either side of the tunnel.
Thanks,
/Kenny -- Kenny Jansson [EMAIL PROTECTED] Sentor AB, Orphei Drängars plats 1, 753 11 Uppsala, Sweden phn: +46 (0) 18 65 30 01 | gsm: +46 (0) 70 757 30 01
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
-- Reinhard Stich, ASSIST [EMAIL PROTECTED] Internet Security AG, 1150 Wien, Johnstrasse 29 Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-10
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
