NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] VPN with OSPF for Failover



>From what you describe, and without not knowing his requirements for
security, I think you are going to have a major headache with getting
a favourable assement from an independent third party.

You state little about the bandwidths involved, so I cannot tell you
wether it will hold up. The 7140's are a somewhat limited and dated
design (and my memory cannot tell me wther you get VPN-accellerators
for the 7140s?).

And reading the reasoning presented by your customer with regards to
why FW-1 wont cut it is somewhat strange. OSPF is not multicast, and
will work quite well with FW-1 on at least Solaris and Linux. And why
IPSec should not handle multicast traffic is to me a mystery (and I
hold CCNP/CCDP and should have a clue).

Since you are implementing hub and spoke for the frame bit, it will
not help to have a secondary location location hooked into the cenrtal
point, as you gain zero failover capability (i.e. if the pipe failes
into the central location you are hosed anyways).

cheers,
Alexander

"Cardona, Alberto" <[email protected]> writes:

> What I want to do is for my friend's remote vpn sites (10) to fail over to
> his secondary VPN HUB.
> Here is his scenario.
>
> He just got acquired by another company.
> His current company relies on a Full blown IPsec VPN mesh with a backup
> ISDN.
> He is running Voice over IP thru his IPsec 3DES VPN.
>
> This new company relies on a LARGE Frame network that runs OSPF on Cisco's.
> They now want to implement a VPN running OSPF because they use OSPF.
> They installed a frame link from his location (New York) to there
> headquarters (Detroit).
> Now they want to implements a secondary location (Houston) which has a
> internet connection and a frame connection
> back into the headquarters (Detroit).
> They want this secondary location (Houston) to be a backup incase his
> location (New York) fails for his remote sites.
>
> Someone within this new company mentioned that his current Nokia/Check Point
> solution won't work with the
> failover design because IPsec can't handle multicast broadcast traffic (ex
> OSPF).
> They need to run OSPF for a failover design.
>
> Their solution is to REMOVE all of his Nokia/Check Point and implement a
> Cisco Router based VPN design.
> Cisco's 1750 for Remote sites and 7140 for each Hub.
> Each router both remote site and hub will have Cisco's firewall/IDS package
> and encryption module
> The Cisco's VPN tunnels are going to be using GRE encapsulation for the
> OSPF.
> Incase of a failover to the Secondary HUB and OSPF will update the Frame
> network regarding the failover.
> IPsec 3DES for the data encryption.
> This new design is not going to be a MESH but a Hub and Spoke.
>
> His problem with this HUB and SPOKE design is this.
>
> 1).  He is afraid because this design relies on a 1 tier security design.
>      The Cisco's routers will be handling the VPN, Routing Protocols,
> Firewall, and IDS on each router.
>      His current design is 2 tier level.
>      Cisco for the Internet router and Nokia/Check Point for VPN/Firewall
>
> 2).  He thinks his Voice over IP will fail between remote sites because the
> MESH will be gone.
>
> 3).  The performance an the Cisco.  Would they be able to handle the load?
>      Since they will be doing everything. (VPN, Routing, and IDS)
>
> Has anyone implemented this solution?
>
>
>
> AC
>
>
>
> -----Original Message-----
> From: Chris Arnold [mailto:[email protected]]
> Sent: Wednesday, October 24, 2001 10:12 PM
> To: 'Cardona, Alberto '; '[email protected] '
> Subject: RE: [FW-1] VPN with OSPF
>
>
> That depends on what you mean by "running site to site IPsec VPNs and using
> OSPF."  Do you mean tunneling OSPF through an IPSec tunnel for some reason
> or using OSPF to route traffic to available VPN endpoints before going
> through a tunnel or on your edge routers once your VPN traffic has been
> encapsulated?
>
> Chris
>
> -----Original Message-----
> From: Cardona, Alberto
> To: [email protected]
> Sent: 10/24/01 4:16 PM
> Subject: [FW-1] VPN with OSPF
>
> Is anyone running site to site IPsec VPNs and using OSPF?
> If so did you have to implement GRE?
>
>
> Thanks
>
>
> AC
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================

--
Alexander Hoogerhuis
FYI: perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.