After changing your encryption domain did you do a site update on the client?
-GS -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Joel Guillerm Sent: Friday, May 18, 2007 4:56 PM To: [email protected] Subject: [FW-1] VPN SecureClient : IP flows to a new internal network not encrypted in the VPN tunnel Checkpoint NG R55, Nokia IPSO 4.1, SecureClient R56 ; VPN tunnel is established correctly from the SecureClient PC ; IP address is correctly affected to the PC ; everything has been working OK for a while ; now, we wants to give access to a new internal LAN network ; so, we defined it everywhere where it is needed (new object, added to the Group of other existing internal LAN networks and to the AntiSpoofing Group, update of the Nokia routing table) ; the firewall can reach this new network locally, and from this new network, we can reach DMZ or Internet resources the same way we can from the other existing internal LAN networks ; When we try to access this new LAN network thru a VPN connection, it does not works at all (no ping , nothing) ; on the PC connected via VPN, we can see the 2 following points : a) the routing table does not show this new network as accessible thru the VPN tunnel address , so, this means, flows to this new network are sent as clear flow towards Internet, and not to the Firewall b) the Log viewer confirms this point, since the test Pings to this new LAN network show them as being sent not encrypted with source IP address, the ISP IP address, not the VPN one ; If we add manually a route on the PC to tell it the new network is reachable via the VPN tunnel IP address, the Log viewer shows the source address is now correct, but the flow is still not encrypted, so, it still does not work Is there a specific definition somewhere to indicate which flows should be routed and encrypted in the VPN tunnel ? as mentionned, this new LAN network has been defined as an exiting LAN network and added in the Group of those existing LANs, and this Group was already defined as the destination of VPN rules thanks in advance for any help ------------------------------------------------------------------------ -------------- Joel ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
