Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

different encryption domains

Status
Not open for further replies.
stooo

stooo

Technical User
Nov 19, 2002
183
GB
Hi,

Is it possible to set what encryption domain is sent when establishing a vpn?
e.g.
I have an internal network of 10.0.0.0/16 and need to have vpn's to 2 external companies

in my encryption domain group, I have the /16 network object, and some individual host objects (10.0.1.5 and 10.0.3.5)

Company 1 will allow the full /16, but company 2 are using other ip's in the range, and want me to send the individual host ip's


This works fine if the tunnel is initiated from their side, but I I initiate it, phase 2 fails as I'm sending the /16

How can I specify that for company 1 I send the /16 and company 2 I send the individual hosts for phase 2?

I hope that makes sense

Thanks
 
Sort by date Sort by votes
You're going to need to to figure a different way to do that. You have over lapping IP ranges. I'd review Company 1 do they really need the full /16 network or can you NAT them on their side.

good luck
 
Upvote 0 Downvote
Sorry, I don't think I explained it clearly;

My side has 10.0.0.0/16 internal
Company 1 is 192.168.1.0/24
Company 2 is 192.168.2.0/24

Company 1 needs to access the entire 10.0.0.0/16

Company 2 only need to access 10.0.1.5 and 10.0.3.5, and already have existing vpn's to un-related sites, using ip's from the 10.0.0.0/16 range.

on a Pix I would do something like

access-list company1-vpn extended permit ip 10.0.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list company2-vpn extended permit ip host 10.0.1.5 192.168.2.0 255.255.255.0
access-list company2-vpn extended permit ip host 10.0.3.5 192.168.2.0 255.255.255.0

Is this possible in checkpoint?

(please note, this has been simplified a bit, there are more than 2 individual ip's that company 2 need to access)

Thanks for your help
 
Upvote 0 Downvote
NP,on the FW object you would use the 10.0.0.0/16 as your encryption domain. Is your phase 2 encryption settings the same on both sides? and have matich security rules?
 
Upvote 0 Downvote
My encryption domain is a group containing the /16 and the 2 hosts
Phase 2 for company 1 is the /16,
Phase 2 for Company 2 is the 2 hosts.

The problem is that when I try to initiate the tunnel to Company 2 it sends the /16 I need it to use the 2 hosts
 
Upvote 0 Downvote
Are you using simplified or traditional mode? We use Traditional mode and I find it gives me more control and granularity. What is the exact error msg you get? Is it an invalid SA? If so, confirm on the that the other companies security rules match yours.

We have similiar tunnels setup our global encryption domain is a large group with a number of either networks or IPranges. Some connections will have an entire subnet while others will only have 1 IP. Your Security rule to company 2 should only be the IPs of the 2 hosts going to their network, company 2 should have a similiar security rule.

hope this helps
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

stanlyn
  • Locked
  • Question
Uncoupled Disk Encryption
Replies
0
Views
606
stanlyn
stanlyn
basball
  • Locked
  • Question
How to connect between two different subnets on the same router?
Replies
0
Views
116
basball
basball
thep
  • Locked
  • Question
Looking to get VPN appliance for different vendors.
Replies
1
Views
98
joepc
joepc
hgate73
  • Locked
  • Question
Different subnet per interface - static routes required? 1
Replies
3
Views
99
stubnski
stubnski
arie01
  • Locked
  • Question
forward one public IP address to two different private IP addresses
Replies
3
Views
109
unclerico
unclerico

Part and Inventory Search

Sponsor

Back
Top