Secure Client and Overlapping Encryption Domains

[roadrunner]

Secure Client and Overlapping Encryption Domains
As far as SecuRemote is concerned, any given IP address can only be a part of one encryption domain. If you have one site that has an encryption domain added into your SecuRemote client and then try and add another site that has an encryption domain with any overlap (i.e. they contain similiar IP addresses), you will get this error.

In the following case, the error will also occur:


Site A manages firewalls F and G
Firewall F has an encryption domain X and is marked exportable
Firewall G has no encryption domain, but it is marked exportable
One or more interface on firewall G is in encryption domain X
SecuRemote always adds the firewall's interfaces to the encryption domain. Since firewall G is in F's encryption domain, there is an overlap in encryption domains. Olaf Selke suggests you can remove the offending interface definition from the firewall object and things should work normally, though you might have some problems with anti-spoofing.

FireWall-1 itself supports overlapping encryption domains only if the encryption domains overlap completely (i.e. you're using a Multiple Entry Point configuraton).

If you have multiple firewalls with partially overlapping encryption domains and you need to use them, you can either upgrade to SecuRemote? build 4100 and later (which allows for enabling or disabling encryption domains at will).

-- PhoneBoy - 02 Apr 2004


FAQForm
FAQs.Class: SecureClientFAQs
FAQs.OS:
FAQs.Version: