![]() If the source address is in a peer’s encryption domain, and the destination is in the local encryption domain then the packet should have been encrypted.If the source address is not in the local encryption domain, and the destination address is not in a peer’s encryption domain then pass the packet without encryption.If the source address is not in a peer’s encryption domain, and the destination address is not in the local encryption domain, then pass the packet without encryption.When the firewall receives a packet, before it even looks at the rule base, it looks at whether any VPN encryption / decryption is required. Firstly, here are the rules (as I understand them) of a Checkpoint VPN: I found a few things on the internet, but the solution wasn’t immediately clear. The traffic destined for the new subnet was arriving at our firewall, and showing in the logs as dropped, with the error:Īccording to the policy the packet should not have been decrypted ![]() The far end device was a Cisco router, and had an access list matching an entire class A subnet which was applied to the crypto map. I encountered an issue recently while trying to allow access to a new subnet over an existing VPN.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |