Could it be a problem of whether or not subnets are supported on non-byte
boundaries?
What happens if you use /16 instead of /14 ???
Note: Although not your *immediate* problem, you should note that
10.8/12 and 10.4/12 are not valid....
10.8... = 00001010.00001000...
/12 = 11111111.11110000...
10.4... = 00001010.00000100...
for /12, the subnets are
10.0, 10.16, 10.32, 10.48, ...
I assume the "/12" was meant to be "/14" which would be valid?
----- Original Message -----
> We seem to have a problem with CheckPoint FireWall-1 and subnets across
> a VPN. Here's the scoop:
>
> We have four sites, with network numbers as follows:
>
> Site A Site B
> 192.168.3.0/24 172.16.0.0/16
>
>
> Site C Site D
> 10.12.0.0/14 172.20.0.0/16
>
> There are six VPNs, one between each pair of sites. We use IKE/ISAKMP
> for key exchange, MD5 for hashing, DES encryption, and Perfect Forward
> Secrecy.
>
> Everything works. However . . .
>
> We are trying to renumber Site D to be 10.16.0.0/14 (eventually, Site A
> will become 10.8.0.0/12 and Site B 10.4.0.0/12). However, when we do
> this, not only does the D <--> B VPN stop working, the C <--> B VPN
> fails, and most times the A <--> B link dies, too! When we switch back
> to 172.20, it works again.
>
> If we take down the C <--> B link, B <--> D (as 10.16) works, but dies
> when C <--> B comes up. We can't renumber C, but I'll bet that if we did
> (to, say, 172.21.0.0/16), everything would work.
>
> So, what's the problem here? More specifically, does anyone know of a
> bug or limitation in FW-1 (well, VPN-1) that prevents us from doing
> this? Or, does anyone out there actually have this working?
>
> We've had eight different people check everything we can think of:
> subnet masks, encryption domains, firewall objects, static routes (which
> is all we use), the routers, the hosts on the nets -- everything! We're
> still willing to believe the problem is pilot error, but I'll be *VERY*
> surprised if that turns out to be true.
>
> Yes, we've called CheckPoint; so far, they can't figure it out either.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
