[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Re-Routing VPN Traffic
We have a similar problem - although ours is made worse by the fact that the single connection point in our case is running on a Nortel VPN box:- SiteA - - CPpointVPN - - Site B - - Nortel VPN - - Site C SiteA to B no problem, Site B to C no problem, Site A to C doesn't work - get dest unreachable from traceroute (from an ISP router) but can't see any obvious routing config errors at our end. Any ideas on our situation would help. Tim
Hmm.. I think the only way to do this would be fully meshed. Anyone else have any ideas on this one? -=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=- Larry Pingree Sr. Security Consultant Email: [email protected] SiegeWorks WebSite: http://www.siegeworks.com/ Enterprise Support, Security Consulting and Training -=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=- ----- Original Message ----- From: Andreas Eltrich <[email protected]> To: <[email protected]> Sent: Tuesday, April 17, 2001 3:29 AM Subject: [FW1] Re-Routing VPN Traffic > > Hi! > > last week I've set up a VPN triangle between three Nokia IP330 with > Single-Gateway/VPN-1 4.1 SP3. All three firewalls are managed through their > own management module. Ecncryption scheme is 3DES/IKE. There is a 10.x/21 > net behind each of the boxes. SecuRemote Dialin is possible to each of > them. > > Now this VPN needs to be connected to another branch in another country. > The customer wanted to build only one VPN tunnel to the new branch, but > re-route all traffic within the whole VPN to get the new branch reachable > from everywhere. > > Site D (new) > 10.30/21 > +------+ > | | > +------+ > : > : > : > : > +------+ > | | Site A > +------+ 10.31/21 > /\ > / \ > / \ > / \ > / \ > / \ > / \ > +------+ +------+ > Site B | |------| | Site C > 10.32/21 +------+ +------+ 10.33/21 > > In my understanding there needs to be a full-mesh topology to achieve full > connectivity. Or is it possible to connect the triangle only at one end to > the forth site? If yes, please describe how to set up IP routing for the > 10.x/21 nets and how to set up encryption domains at each site. > > What about SecuRemote clients? Will they be able to reach site D when > dialing into the other sites? > > Thank you in advance! > > regards, Elchy > > -- > A. Eltrich - mailto:[email protected] > LAN/WAN System Engineer - http://www.inotronic.de/ > inotronic Computers GmbH - Pfaelzer-Wald-Str. 70 > D-81539 Muenchen - Tel: +49-89-439007-0 - Fax: -41 > > > ============================================================================ ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================================ ==== > > Attachment:
smime.p7s
|