-----Original Message----- From: black@galaxy.silvren.com [mailto:black@galaxy.silvren.com] Sent: Friday, June 29, 2001 10:11 AM To: Madhur Nanda Cc: firewalls@pluto.gnac.com Subject: Re: VPN FW-1 On the second firewall, the encryption should take place on the address used by the NAT translation (the outside address). Are you encrypting based on the outside address, or on the internal, private addresses? In other words, if you have a setup like this: LAN-using-192.168.1.0---<FW1 w/NAT>---VPN-using-204.233.3.0---<FW2>---etc On FW2's ruleset, are you encrypting based on the 192.168.1.0 address or the 204.233.3.0 address? You should be encrypting on the 204.233.3.0. --------------------- ----> THATS CORRECT, I m using virtual network id say 10.1.1.0 ( as NAT) for 192.168.1.0 ( if i take the case as above) on second firewall. On the first firewall no NAT so its FW encryption domain becomes 192.168.1.0 and on the second firewall i m using NAT for 192.168.1.0 to say 10.1.1.0 and i m calling 10.1.1.0 as encryption domain for second firewall in additon to another network which acts as virtual n/w ( NAT for)for encryption domain of third FW say 172.16.1.10. i.e second FW has two networks in its encryption domain(10.1.1.0 and 10.2.2.0) one corresponding to first FW encryption domain (192.168.1.0) and other one corresponding to third FW encryption domain i.e (172.16.1.0). Now the system in 192.168.1.0 initiates connection to 10.2.2.0 which is virtual n/w id for 3rd FW encryption domain. It goes in encrypted form to FW 2 and gets decrypted there and then source is translated to 10.1.1.0 ( virtual nw for 1st FW encryption domain) and destination to actual destination ( encryption domain of 3rd FW, 172.16.1.0), now the source is part of 2nd FW encryption domain and destination is part of 3rd FW encryption domain, so the traffic should go from 2nd to 3rd in encrypted form.......but ITS NOT HAPPENING ---------------------------- If that's not the problem, I'm not sure what else to say except go wild on the logging and see what's happening. It's possible that you have a crypt algorithm mismatch or something of that sort. If you don't see any encrypt/decrypt messages in the logs, then it's most likey a rule set to encrypt on a wrong source address. On Fri, 29 Jun 2001, Madhur Nanda wrote: > Hi , > > i am testing a setup where i have three firewalls in a chain, > > the first and second firewall form a g/w to g/w VPN and then secon and > third form another VPN. The second firewall has two interface and as > such it forms VPN with its peer on different interface. I wish to allow > traffic originating from encryption domain of firewall one to systems in > encryption domain of firewall three. The second firewall comes in the > middle and mediates the traffic. I m using NAT rules on the second > firewall so as to distiguish between encryption domains on second > firewall. > The traffic reaches the second firewall as desired ( encrypt -> NAt-> > ??) But when it leaves the second firewall it is not getting encrypted > and going plainly..... > > can some one throw some light on it???? > > 1) NAT takes place at only one interface?? > 2) FW-1 can form encryption VPN on two interface??? > > TIA > > regds > Madhur > _______________________________________________ > Firewalls mailing list > Firewalls@lists.gnac.net > http://lists.gnac.net/mailman/listinfo/firewalls > _______________________________________________ Firewalls mailing list Firewalls@lists.gnac.net http://lists.gnac.net/mailman/listinfo/firewalls