encryption failed: gateway connected to both endpoints

[BarryStiefel]

encryption failed: gateway connected to both endpoints



When I have been doing VPN configurations I have seen entries in the log with the following in the info field:



"encryption failed: gateway connected to both endpoints"



The rule this matches looks like this:



Source Destination Service Action Track my-encdomain & partnter-encdomain partnter-encdomain & my-encdomain Any Encrypt Long



The service is typically nb_session or nb_name. Most of them in fact broadcasts generated by the firewall itself.

My setup is the typical VPN setup: the encryption domains are the respective internal networks and in the source and destination fields of the encrypt rule I have a group of all internal networks. Is it something I should worry about? Everything seems to be working OK.

Answer Not only is your encryption rule matching VPN traffic, but it is also matching intranetwork traffic (i.e. within your firewall). When fwd tries to "encrypt" this traffic, it realizes that the source and destination are part of the same encryption domain and thus have the same gateway. This gets logged in the logs as "gateway connected to both endpoints," and is a harmless error.



To avoid this error message, break up the encryption rules as follows:

Source Destination Service Action Track my-encdomain partner-encdomain Any Encrypt Long partnter-encdomain my-encdomain Any Encrypt Long





Source Destination Service Action Track my-encdomain ptnr1-encdom & prntr2-encdom & prtnr3-encdom Any Encrypt Long prtnr1-encdom & prntr2-encdom & prtnr3-encdom my-encdomain Any Encrypt Long

It's also possible to group the partner networks together. You can then name the group CIFSextranet-sites or whatever.

Note: The encryption domains should not overlap.







-- RobertGraham - 14 Jan 2004

FAQForm FAQs.Class: EncryptionFAQs FAQs.OS: FAQs.Version: