[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Architecture for connecting multiple sites via VPN
Uh...that's probably not the best idea as it will double the number of encrypted transactions as well as turn into a routing nightmare. 1. Every connection from a remote site to another remote site will require two encrypt/decrypt operations as opposed to only one if it were site to site VPN. 2. Manage your fule sets from an enterprise management console. If you have enough VPN and FW modules out there where you don't want to configure them all by hand you can probably afford to the an EMC license. This will let you have different rule sets for different nodes, if this is the style you prefer (as opposed to a huge monolithic rule set for all of your nodes) as well as a common object base so defining your encryption domains will be less of a burden. 3. You would need to have quite a few static routes at the end points as well as through your core network to get packets routed correctly. If you do site to site VPN, CP takes care of routing to the remote encryption domains for you. Chris -----Original Message----- From: Joel Turoff To: [email protected] Sent: 2/8/01 9:45 PM Subject: [FW1] Architecture for connecting multiple sites via VPN Greetings! I am wondering what the best architecture is to connect multiple sites together with a VPN. I have four locations, and each needs to have a VPN into every other site. I know that I can certainly setup a VPN between every firewall, but this loads down the rule base and isn't scalable. Whenever I add another site, there will be numerous VPN's to configure. Is there some way to create a central hub site and link all the sites in this manner? Traffic would travel to the hub encrypted, then there would be a short unencrypted hop to the next firewall, where it would then be encrypted until reaching the destination network. Is this sort of split-tunnel VPN possible with Checkpoint 4.1? What would be the mechanism for routing the traffic at the hub between firewalls? Is it as simple as adding a few static routes on the firewalls? Many thanks for any ideas or suggestions on where to find more information about this. Joel ======================================================================== ======== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ======================================================================== ======== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|