The PhoneBoy Blog


Simplifying Telecom, Mobile Phones, Gadgets, Health, and More!

FireWall-1 FAQ: encryption failed: gateway connected to both endpoints

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.


I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.


If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)


encryption failed: gateway connected to both endpoints

When I have been doing VPN configurations I have seen entries in the log with the following in the info field:

"encryption failed: gateway connected to both endpoints"

The rule this matches looks like this:

SourceDestinationServiceAction</a> Track
my-encdomain & partnter-encdomain partnter-encdomain & my-encdomain Any Encrypt Long

The service is typically nb_session or nb_name. Most of them in fact broadcasts generated by the firewall itself.

My setup is the typical VPN setup: the encryption domains are the respective internal networks and in the source and destination fields of the encrypt rule I have a group of all internal networks. Is it something I should worry about? Everything seems to be working OK.

Answer


Not only is your encryption rule matching VPN traffic, but it is also matching intranetwork traffic (i.e. within your firewall). When fwd tries to “encrypt” this traffic, it realizes that the source and destination are part of the same encryption domain and thus have the same gateway. This gets logged in the logs as “gateway connected to both endpoints,” and is a harmless error.

To avoid this error message, break up the encryption rules as follows:

SourceDestinationServiceActionTrack
my-encdomain partner-encdomain Any Encrypt Long
partnter-encdomain my-encdomain Any Encrypt Long
SourceDestinationServiceActionTrack
my-encdomain ptnr1-encdom & prntr2-encdom & prtnr3-encdom Any Encrypt Long
prtnr1-encdom & prntr2-encdom & prtnr3-encdom my-encdomain Any Encrypt Long

It’s also possible to group the partner networks together. You can then name the group CIFSextranet-sites or whatever.

Note: The encryption domains should not overlap.

#Cybersecurity Evangelist, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.