[mogmismo]

Setup:

I've got 2 firewalls (We'll call them A and B) with a site-to-site VPN. Firewall A has our radius servers behind it, and also is the primary site for SecureClient connections. Both firewalls are listed in the community for remote access.

Situation:

When SecureClients come in to firewall A, then request a resource behind firewall B, firewall B uses an implied rule (0) to send the traffic to our radius servers. This implied rule sends the traffic out of firewall B unencrypted and not down the tunnel. It gets dropped by the upstream router because it's to a 192.168.x.x internal address.

Things I've tried:

Called checkpoint tech support. Thier answer is to change from a mesh to a star and route all traffic through the 'hub'. I don't want to do this.

I've tried nat'ing the packets in my address translation on both ends so that the packets flow over the internet (We use cryptocard, so they are one-time passwords, I'm not super concerned). Still rule 0 sends the traffic ~before~ the natting.

Help?

Anyone know a way out of this maze? How do I get the traffic to the radius servers to get to thier destination (hopefully, but not required, over the site-to-site) Any help would be greatly appreciated.

M.