Normally, when you try to open a VPN cluster you
disable the "primary interfaces" on the Battle Zone side and leave only
the cluster address as a route possibility to avoid having that kind of issue...
But this it is sometimes mandatory for licencing purpuses to keep the BZ address
as the policies won't load otherwise...
If
there is a router in front of the firewall cluster you can NAT them on
the Cluster IP resolving that issue one the VPN tunnel itself... And this
can bedone on either side assuming all cluster addresses are on the same
subnet...
Just
thinking.....
-gab
--------------------------------------------
Gabriel Beaulieu
Network Administrator
SunGard
EMS - BrokerWare*
Tel: (514) 982-6687 x 258
Fax: (514) 982-9476
Email: [EMAIL PROTECTED]
Web: www.brokerware.com
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Rod Cappon
Sent: Wednesday, October 24, 2001 3:40 PM
To: '[EMAIL PROTECTED]'
Subject: VPN tunnel between PIX and Checkpoint in a failover config
I am trying to set up a LAN to LAN VPN tunnel between a Pix Firewall and two Checkpoint Firewall set up in a Failover Configuration. The CPF has a virtual IP setup on the cluster and 2 real IP address on the firewalls. So the outside looks something like this xxx.xxx.xxx.0 = Virtual Firewall xxx.xxx.xxx.1=CPF #1 xxx.xxx.xxx.2= CPF #2. I own the PIX and another company owns the CPF. When I setup the PIX with the xxx.xxx.xxx.0 the reply comes from xxx.xxx.xxx.1. Has anyone seen this before and how did you solve it. This is a call I think to all you CPF gurus.Rod Cappon
