Edouard Zorrilla a écrit :
Thanks for your Reply Sir,
Regarding the point stated here I have a couple of question I hope you
can answer this:
1.- You said: [ if you set a vpn community between your gateway and
site b, and specify "accept all encrypted traffic" in the community or
create a dedicated rule for vpn traffic, you'll see ipsec traffic
between the network behind your gateway and the network behind site
B's gateway.]
Q1: That is what I have done and I get a error inside the tracker when
I send traffic to site A saying that : "encryption fail reason: Packet
is dropped because there is no valid SA - please refer to solution
sk19423 in SecureKnowledge Database for more information "
vpn debugging can take some time.
grab the infoview from checkpoint, set the "vpn debug ikeon" on your
firewall, and check the content of ike.elg afterwards to check where the
vpn fails.
2.- You said: [you can also set another rule to allow some traffic to
site A. as site A is not part of any community, the traffic is IP
only. ].
Q2: When I do this I got the error stated in Q1, even If I put the
rule over the vpn rule. What I am doing is making a mesh community and
put inside this my module checkpoint NGX and also the host at site B.
Do I need to place/move to anywhere else ? maybe I am forgetting
something. Could someone send me a paper unicast to me ? I will really
appreciate your help.
If site A is not in the "vpn domain" declared for your gateway and site
B's gateway, I still don't get the point why the traffic is encrypted.
could you please describe a little bit more your configuration with ip
addresses and networks for site A, site B, your site, the gateways, etc
? (don't put the real ones of course).
3.- You said: [ you can also specify not to encrypt some protocols in
your vpn community, so you'll see clear and encrypted traffic between
your site and site B.]
Q3: But what happen when I need to send the same protocol/port to site
A and B, I can not apply this, can't I ?
you need :
- for site B to declare exceptions in the vpn community
- for site A to declare an explicit rule as site A is not part of the VPN
Thanks averybody.
Regards
___________________________________________________________________________
Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions !
Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses
http://fr.answers.yahoo.com
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
