| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FW-1] Using FW-1 VPN connections for redundancy / encryption domain problems.
- To: [email protected]
- Subject: [FW-1] Using FW-1 VPN connections for redundancy / encryption domain problems.
- From: "Jarmoc, Jeff R." <[email protected]>
- Date: Thu, 18 Sep 2003 10:16:13 -0500
- Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
- Sender: Mailing list for discussion of Firewall-1 <[email protected]>
- Thread-index: AcN5k/hAaa6DfrmfRvmwkm8/mNpCYgEY8CqQ
- Thread-topic: Using FW-1 VPN connections for redundancy / encryption domain problems.
My company has a handful of sites which have both WAN connections and
Internet connections which are run through Checkpoint firewalls.
Recently, we've had the idea to use the internet connections for
redundancy in the event one of the WAN connections fails. However,
we're having some trouble determining exactly how to do this.
As I see it, there are two seperate things which must be accomplished in
order for this to work;
- Our network must detect the failure of the WAN connection, and
route traffic to the firewall.
- The firewalls must establish a VPN tunnel to pass the traffic
over the internet securely, and allow use of our internal address space.
The first step doesn't seem too difficult, and I'm pretty sure we have
that worked out. I'm hoping someone can help with step two.
Were there only two sites, or any number of sites each with an internet
and a WAN connection this would be pretty simple. In our case however,
we have several sites, and only a small number have WAN connections. As
a result, this configuration is proving difficult due to the firewall's
encryption domains. In order for all remote sites to be accessible
through Secure Client and/or a VPN tunnel into a specific site, they
need to part of it's encyption domain. The result is that our
encryption domains overlap. In normal use, this doesn't pose a problem.
However, let's suppose we have two sites which are connected via WAN,
each with their own internet connection. If one of these sites loses
it's WAN connection, traffic destine for it is rerouted to the firewall
on the opposite site. However, since the destination site (the one with
the outage) is in the firewall's encryption domain, the traffic won't be
tunneled.
Does anyone have any ideas for how to handle this situation? The best I
can come up with is that we need a way to modify our encryption domains.
The easiest way would be to have the encryption domain draw from what
routes are known to the firewall. Is this possible? Are there any
other methods I'm overlooking?
Thanks in advance for any advice or insight you can provide.
Jeff Jarmoc - CCSA, CCNA, MCSE
Network Analyst - Grubb & [email protected]
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
