|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] AW: [FW-1] VPN with OSPF for Failover
On Mon, Oct 29, 2001 at 06:50:38AM +0100, [email protected] wrote: > Hi > > How have you implemented the ISDN Backup in the current company. Do you use > a Routing-Protocoll or static route ? > Is the ISDN-Traffic also encrypted ? [The question below was using OSPF for Site to Site failover] To pass OSPF you'll need to use a GRE tunnel since IPSec only passes unicast traffic (or use BGP which is a simple TCP port). One way to do this is encapsulate routing info into GRE internally on a Cisco and then pass to Checkpoint (at this point it's just IP) for encryption. At the remote site, have the Cisco open up the GRE packet and decrypt on the Cisco or pass the IP Checkpoint. We've proven this in the lab but used Cisco-Cisco and EIGRP . ISDN backup fires up when the route "floats up" if the main link fails. No encryption (it's a point-to-point, not needed). For normal Checkpoint VPN failover for remote access none of this is needed. Just setup your encryption domain as fully overlapping and if one VPN goes down users connect to the other (controlled by Checkpoint's RDP protocol). This solution is for Site-to-Site. alan > > Thanks for your information. > > regards > manfred > > -----Ursprüngliche Nachricht----- > Von: Cardona, Alberto [mailto:[email protected]] > Gesendet: Donnerstag, 25. Oktober 2001 16:55 > An: [email protected] > Betreff: Re: [FW-1] VPN with OSPF for Failover > > > What I want to do is for my friend's remote vpn sites (10) to fail over to > his secondary VPN HUB. > Here is his scenario. > > He just got acquired by another company. > His current company relies on a Full blown IPsec VPN mesh with a backup > ISDN. > He is running Voice over IP thru his IPsec 3DES VPN. > > This new company relies on a LARGE Frame network that runs OSPF on Cisco's. > They now want to implement a VPN running OSPF because they use OSPF. > They installed a frame link from his location (New York) to there > headquarters (Detroit). > Now they want to implements a secondary location (Houston) which has a > internet connection and a frame connection > back into the headquarters (Detroit). > They want this secondary location (Houston) to be a backup incase his > location (New York) fails for his remote sites. > > Someone within this new company mentioned that his current Nokia/Check Point > solution won't work with the > failover design because IPsec can't handle multicast broadcast traffic (ex > OSPF). > They need to run OSPF for a failover design. > > Their solution is to REMOVE all of his Nokia/Check Point and implement a > Cisco Router based VPN design. > Cisco's 1750 for Remote sites and 7140 for each Hub. > Each router both remote site and hub will have Cisco's firewall/IDS package > and encryption module > The Cisco's VPN tunnels are going to be using GRE encapsulation for the > OSPF. > Incase of a failover to the Secondary HUB and OSPF will update the Frame > network regarding the failover. > IPsec 3DES for the data encryption. > This new design is not going to be a MESH but a Hub and Spoke. > > His problem with this HUB and SPOKE design is this. > > 1). He is afraid because this design relies on a 1 tier security design. > The Cisco's routers will be handling the VPN, Routing Protocols, > Firewall, and IDS on each router. > His current design is 2 tier level. > Cisco for the Internet router and Nokia/Check Point for VPN/Firewall > > 2). He thinks his Voice over IP will fail between remote sites because the > MESH will be gone. > > 3). The performance an the Cisco. Would they be able to handle the load? > Since they will be doing everything. (VPN, Routing, and IDS) > > Has anyone implemented this solution? > > > > AC > > > > -----Original Message----- > From: Chris Arnold [mailto:[email protected]] > Sent: Wednesday, October 24, 2001 10:12 PM > To: 'Cardona, Alberto '; '[email protected] ' > Subject: RE: [FW-1] VPN with OSPF > > > That depends on what you mean by "running site to site IPsec VPNs and using > OSPF." Do you mean tunneling OSPF through an IPSec tunnel for some reason > or using OSPF to route traffic to available VPN endpoints before going > through a tunnel or on your edge routers once your VPN traffic has been > encapsulated? > > Chris > > -----Original Message----- > From: Cardona, Alberto > To: [email protected] > Sent: 10/24/01 4:16 PM > Subject: [FW-1] VPN with OSPF > > Is anyone running site to site IPsec VPNs and using OSPF? > If so did you have to implement GRE? > > > Thanks > > > AC > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
