If I am understanding this right as well...I had to setup a few of these type of connections where only HTTP/HTTPS goes over a VPN tunnel for external internet URL Filtering service (cloud) & rest of the services over Internal/Internet.
In Traditional Mode VPN it works great/very easy to setup. In Simplified mode it takes a lot more work. After I did a lot of troubleshooting on my own & create my own doc, I found out later BlueCoat has some great docs out there already as they offer URL Filtering in the cloud by customers ONLY forwarding their HTTP/HTTPS over VPN to them. Hope this helps/what you looking for. Both Policy based Check Point VPN. == === Traditional Mode http://portal.threatpulse.com/docs/am/Content/Deployment/Tasks/Checkpoint/chkpnt_config_ta.htm Simplified Mode https://kb.bluecoat.com/index?page=content&id=KB5266 On Fri, Oct 11, 2013 at 5:56 PM, Sergio Alvarez <seral...@gmail.com> wrote: > I agree with David here, the problem is with the definition of the vpn > domain for the other peer, you just cannot know what the destination would > be. > > Regards > > El viernes, 11 de octubre de 2013, David DeSimone escribió: > > > tasneemjan <tasneem...@aim.com <javascript:;>> wrote: > > > > > > I am using R77 and have a ip sec tunnel to a cloud service for anti-x > > > filtering. > > > > Do you mean that you want all HTTP/HTTPS traffic originating from your > > network, no matter what destination IP it might have, to go through this > > IPSEC tunnel? > > > > > I have rule at the top to send all http/s traffic through the > > > community. > > > > Rules do not "set" the community which will be used. They instead > > "match" which community was chosen, based on topology. If your traffic > > does not route through the VPN community, then it will not match rule 1. > > > > > after 1st rule i have rule for internal networks to be natted behind > > > the gateways public interface. When i initiate the http traffic it > > > doesn't match the 1st rule and matches the 2nd rule to go the internet > > > which doesn't bring the tunnel up. Can some one assist please. > > > > You said that you checked the encryption domain for your local network, > > and it is correct. What did you use as the encryption domain for the > > peer at the other end of the IPSEC tunnel? > > > > If my guess is correct, you want to use route-based VPN rather than > > topology-based VPN. > > > > -- > > David DeSimone == Network Admin == f...@verio.net <javascript:;> > > "I don't like spinach, and I'm glad I don't, because if I > > liked it I'd eat it, and I just hate it." -- Clarence Darrow > > > > > > This email message is intended for the use of the person to whom it has > > been sent, and may contain information that is confidential or legally > > protected. If you are not the intended recipient or have received this > > message in error, you are not authorized to copy, distribute, or > otherwise > > use this message or its attachments. Please notify the sender immediately > > by return e-mail and permanently delete this message and any attachments. > > Verio Inc. makes no warranty that this email is error or virus free. > Thank > > you. > > > > Email secured by Check Point > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to lists...@amadeus.us.checkpoint.com <javascript:;> > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > fw-1-ow...@ts.checkpoint.com <javascript:;> > > ================================================= > > > > > -- > Sergio Alvarez > CISSP | CCSE+ > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to lists...@amadeus.us.checkpoint.com > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > fw-1-ow...@ts.checkpoint.com > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =================================================