FireWall-1 FAQ: encryption failed: gateway connected to both endpoints
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
When I have been doing VPN configurations I have seen entries in the log with the following in the info field:
"encryption failed: gateway connected to both endpoints"
The rule this matches looks like this:
|my-encdomain & partnter-encdomain||partnter-encdomain & my-encdomain||Any||Encrypt||Long|
The service is typically nb_session or nb_name. Most of them in fact broadcasts generated by the firewall itself.
My setup is the typical VPN setup: the encryption domains are the respective internal networks and in the source and destination fields of the encrypt rule I have a group of all internal networks. Is it something I should worry about? Everything seems to be working OK.
Not only is your encryption rule matching VPN traffic, but it is also matching intranetwork traffic (i.e. within your firewall). When fwd tries to "encrypt" this traffic, it realizes that the source and destination are part of the same encryption domain and thus have the same gateway. This gets logged in the logs as "gateway connected to both endpoints," and is a harmless error.
To avoid this error message, break up the encryption rules as follows:
|my-encdomain||ptnr1-encdom & prntr2-encdom & prtnr3-encdom||Any||Encrypt||Long|
|prtnr1-encdom & prntr2-encdom & prtnr3-encdom||my-encdomain||Any||Encrypt||Long|
It's also possible to group the partner networks together. You can then name the group CIFSextranet-sites or whatever.
Note: The encryption domains should not overlap.