Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Re-Routing VPN Traffic

To: [email protected]
Subject: Re: [FW1] Re-Routing VPN Traffic
From: Andreas Eltrich <[email protected]>
Date: Tue, 24 Apr 2001 17:47:27 +0200
In-reply-to: <[email protected]>; from "Larry Pingree" on Mon, Apr 23, 2001 at 10:38:37 AM -0700
Organization: inotronic Computers GmbH
References: <[email protected]> <[email protected]> <[email protected]>
Sender: [email protected]
User-agent: Mutt/1.2.5i

Larry Pingree wrote:
> Hmm.. I think the only way to do this would be fully meshed. Anyone else
> have any ideas on this one?


T.Higgins wrote:
> We have a similar problem - although ours is made worse by the fact that 
> the single connection point in our case is running on a Nortel VPN box:-
> 
> SiteA - - CPpointVPN - - Site B - - Nortel VPN - - Site C
> 
> SiteA to B no problem, Site B to C no problem, Site A to C doesn't work - 
> get dest unreachable from traceroute (from an ISP router) but can't see 
> any obvious routing config errors at our end.
> 
> Any ideas on our situation would help.

Since I connected a second leaf site through another VPN box (cisco) last
week, I got some new experiences on this.

I _is_ possible to re-route VPN-traffic through several tunnels, but you
have to mess around with the encryption domain settings. Here is what one
is supposed to do in my example:


                      Site D (new)
                       10.30/21
                       +------+
                       |      |
                       +------+
                          :
                          :
                          :
                          :
                       +------+
                       |      |  Site A
                       +------+ 10.31/21
                          /\
                         /  \
                        /    \
                       /      \
                      /        \
                     /          \
                    /            \
                +------+      +------+
        Site B  |      |------|      |  Site C
       10.32/21 +------+      +------+ 10.33/21

 - Define Site A and D to be the ED of Site A at Site B
 - Define Site A and D to be the ED of Site A at Site C
 - Define Site A, B and C to be the ED of Site A at Site D
 - At Site A define the original ED for each other Site

Be aware, that re-routing through multiple tunnels doesn't increase
round-trip-times and reliabilty. And it is a horrible task to maintain such
a VPN when different administrators are involved... ;)

Perhaps someone knows a kind of Design-Guide for large VPNs. Didn't find
something like this on checkpoint.com :(

Bye, Elchy

Disclaimer: I'm not absolutely sure that above configuration is working. My
            own VPN looks somewhat different and includes devices of other
            manufacturers. Please correct me, if I'm wrong.
-- 
 A. Eltrich  -  mailto:[email protected]
 LAN/WAN System Engineer - http://www.inotronic.de/
 inotronic Computers GmbH  -  Pfaelzer-Wald-Str. 70
 D-81539 Muenchen - Tel: +49-89-439007-0 - Fax: -41


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- Re: [FW1] Re-Routing VPN Traffic
  - From: [email protected]
- [FW1] Re-Routing VPN Traffic
  - From: Andreas Eltrich <[email protected]>
- Re: [FW1] Re-Routing VPN Traffic
  - From: "Larry Pingree" <[email protected]>

Prev by Date: Re: [FW1] MSN Messenger
Next by Date: [FW1] DCE-RPC (MS-RPC) and FW-1
Previous by thread: Re: [FW1] Re-Routing VPN Traffic
Next by thread: Re: [FW1] Re-Routing VPN Traffic
Index(es):
- Date
- Thread