[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] HA configuration and VPN
I seem to be stuck on getting both HA and VPN working at the same time. I'm most confused about how the workstation objects' IP addresses need to change for the implementation. I currently have the following setup before HA is configured. 1. Management module (M1) on private (non-routable) network 2. Gateway module (G1) with one interface on same private network as M1 and another with a valid routable IP to the Internet. 3. Gateway module (G3) in another location with one interface on a private network and another with a valid routable IP to the Internet. Currently I have G1 and G3 setup with IKE pre-shared secrets to do VPN. Both of the workstation objects for G1 and G3 have the IP address facing the Internet defined as "their" IP address. This works great with no problems. I am able to communicate between the two private address ranges just fine. G1 and G3 both have the appropriate Encryption domains setup. M1 can push rules and receives logs from G1 and G3 fine. Until I bring HA into the picture... To setup HA I've added a second Gateway module (G2) to the same networks that G1 is attached to. I've added the HA licenses to both, setup the HA properties, configured the shared MAC addresses, and setup synchronization. I've also added an additional network card to M1, G1, and G2 and connected all three into a dedicated hub. G1 and G2 workstation objects have this new network added to their interfaces list. I've created a Gateway Cluster object with an IP address of the public Internet interface of G1 and the same vpn properties of G1 and have assigned G1 and G2 to this cluster object. To get HA to work I've had to modify the workstation objects of M1, G1, and G2 to be defined by the IP addresses of the secure network. This allows me to push rules to the cluster object. This seems to work for non-vpn connections (I'm able to have telnet and ftp sessions active with public entities and fail between G1 and G2) but the vpn between the Gateway Cluster object and G3 is gone. My log shows G3 trying to send vpn traffic to the now reconfigured G1 ip address and it, of course, doesn't get a reply. I've tried all sorts of IP address changes (public, private) for G1 and G2 and have even created new objects for their public addresses and substituted those in the rule base where G1 used to be. Nothing I've tried has helped. Check Point's documentation for this simply tells me to assign IP addresses to the gateway cluster object and the gateways "in accordance with the instructions provided with the third-party solution." Well, CP is the solution and I cannot find any documentation by them to address this. Any help would be greatly appreciated. Thanks. Michael Junk [email protected] ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|