We seem to have a problem with CheckPoint FireWall-1 and subnets across
a VPN. Here's the scoop:
We have four sites, with network numbers as follows:
Site A Site B
192.168.3.0/24 172.16.0.0/16
Site C Site D
10.12.0.0/14 172.20.0.0/16
There are six VPNs, one between each pair of sites. We use IKE/ISAKMP
for key exchange, MD5 for hashing, DES encryption, and Perfect Forward
Secrecy.
Everything works. However . . .
We are trying to renumber Site D to be 10.16.0.0/14 (eventually, Site A
will become 10.8.0.0/12 and Site B 10.4.0.0/12). However, when we do
this, not only does the D <--> B VPN stop working, the C <--> B VPN
fails, and most times the A <--> B link dies, too! When we switch back
to 172.20, it works again.
If we take down the C <--> B link, B <--> D (as 10.16) works, but dies
when C <--> B comes up. We can't renumber C, but I'll bet that if we did
(to, say, 172.21.0.0/16), everything would work.
So, what's the problem here? More specifically, does anyone know of a
bug or limitation in FW-1 (well, VPN-1) that prevents us from doing
this? Or, does anyone out there actually have this working?
We've had eight different people check everything we can think of:
subnet masks, encryption domains, firewall objects, static routes (which
is all we use), the routers, the hosts on the nets -- everything! We're
still willing to believe the problem is pilot error, but I'll be *VERY*
surprised if that turns out to be true.
Yes, we've called CheckPoint; so far, they can't figure it out either.
Please help!
Thanx,
AdamM
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
