Checkpoint firewall running on Nokia ipso 3.8 with R55.
Site to site vpn end point with Nokia ip40 althought it could be any none checkpoint enterprise firewall.
Topology for main fw is all local subnets bar the remote site. Topology for remote fw is its local subnet. We are using vpn mesh community for site to site. Main fw has to have this topology or it will not encrypt to the remote site
We use Securid to authenticate vpn users which will not work with the ip40 or many other cheap vpn end-points.
Problem is this, vpn-vpn site works fine, however when a remote access user connects to the main firewall, they cannot access the remote site. The topology information that they download does not contain the remote site as an available domain behind the firewall as it is not listed in the firewalls topology.
how does remote access users access the main site? do you use "nat" pool for it? If you do, you have to include the "nat" pool address space as part of the main FW topology as well. Otherwise, it will not work. I just don't see how it is going to work without using NAT pool.
The main problem that I can see is that when you configure the topology for the main firewall, it cannot include the subnet of the remote firewall as if you do it will not encrypt traffic to it over the site-site vpn link.
Because of this the topology for the remote access clients does not include this remote subnet and when they try and access it they do not even go to the firewall.
I am using a vpn pool for the remote clients but it is not listed in the vpn topology.
VPN routing. This functionality has been built in so you can route through your main gateway as a hub. So you include the remote network as part of the encryption domain, then you configure the vpn routing parameters and your remote clients should be able to access the remote end-point.
