Here's the scenario,
Three firewalls. Two are Solaris 8 in 64bit mode running Checkpoint NG FP2 and the third is a Nokia IP330 with the latest rev of IPSO running NG FP1.
One of the firewalls is actually an HA cluster.
Separate encryption domains defined on all three, no overlapping.
Use backup gateways is enabled and I'm using IP Pool NAT for VPN connections.
All gateways service connections to their respective encryption domains with no problem.
A Secure Remote client can failover from the Nokia to the other single gateway and I'm assuming it will work in the reverse but have not tested yet.
Now for the problem.
When failing over to the cluster gateway the VPN Client and the gateway exchange keys as expected but apparently the client then proceed to send packets unencrypted which get dropped according to the rulebase.
Checkpoint is looking into it but I'm not getting any younger and would like to resolve this before I retire.
Has anyone else seen this?
Three firewalls. Two are Solaris 8 in 64bit mode running Checkpoint NG FP2 and the third is a Nokia IP330 with the latest rev of IPSO running NG FP1.
One of the firewalls is actually an HA cluster.
Separate encryption domains defined on all three, no overlapping.
Use backup gateways is enabled and I'm using IP Pool NAT for VPN connections.
All gateways service connections to their respective encryption domains with no problem.
A Secure Remote client can failover from the Nokia to the other single gateway and I'm assuming it will work in the reverse but have not tested yet.
Now for the problem.
When failing over to the cluster gateway the VPN Client and the gateway exchange keys as expected but apparently the client then proceed to send packets unencrypted which get dropped according to the rulebase.
Checkpoint is looking into it but I'm not getting any younger and would like to resolve this before I retire.
Has anyone else seen this?