Hi, we have a site to site VPN set up with a TMG at one end and a Checkpoint at the other end. Behind the checkpoint are various networks (including a MPLS routed by the core and MPLS routers), behind the TMG there are some local routed networks (routed by the core, not the FW)
- All devices behind the TMG can connect to all devices behind the Checkpoint (local and over MPLS)
- All devices behind the Checkpoint (local and over MPLS) can connect to all devices behind the TMG
- All devices behind the Checkpoint (local and over MPLS) can connect to the TMG
- The TMG can only connect to the devices behind the Checkpoint and the various local networks, when trying to connect to devices over the MPLS the connections fail. When looking at the TMG logging tool we can see that connections to devices behind the checkpoint occur on the Internal interface, when attempting to connect to devices behind the Checkpoint that are over the MPLS we see that the TMG sends the packets as Local Host (using the External IP). On the checkpoint we can see packets arriving for both the local subnets and the MPLS subnets however we can also see they are coming from the two different IP's.
(Green lines are where the traffic works in both directions, Red is the one way traffic issue noted above)
How do we get the TMG to ensure all packets destined for the VPN tunnel from itself come from the Internal IP (not the External IP) ?