[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] Using FW-1 VPN connections for redundancy / encryption domain problems.
My company has a handful of sites which have both WAN connections and Internet connections which are run through Checkpoint firewalls. Recently, we've had the idea to use the internet connections for redundancy in the event one of the WAN connections fails. However, we're having some trouble determining exactly how to do this. As I see it, there are two seperate things which must be accomplished in order for this to work; - Our network must detect the failure of the WAN connection, and route traffic to the firewall. - The firewalls must establish a VPN tunnel to pass the traffic over the internet securely, and allow use of our internal address space. The first step doesn't seem too difficult, and I'm pretty sure we have that worked out. I'm hoping someone can help with step two. Were there only two sites, or any number of sites each with an internet and a WAN connection this would be pretty simple. In our case however, we have several sites, and only a small number have WAN connections. As a result, this configuration is proving difficult due to the firewall's encryption domains. In order for all remote sites to be accessible through Secure Client and/or a VPN tunnel into a specific site, they need to part of it's encyption domain. The result is that our encryption domains overlap. In normal use, this doesn't pose a problem. However, let's suppose we have two sites which are connected via WAN, each with their own internet connection. If one of these sites loses it's WAN connection, traffic destine for it is rerouted to the firewall on the opposite site. However, since the destination site (the one with the outage) is in the firewall's encryption domain, the traffic won't be tunneled. Does anyone have any ideas for how to handle this situation? The best I can come up with is that we need a way to modify our encryption domains. The easiest way would be to have the encryption domain draw from what routes are known to the firewall. Is this possible? Are there any other methods I'm overlooking? Thanks in advance for any advice or insight you can provide. Jeff Jarmoc - CCSA, CCNA, MCSE Network Analyst - Grubb & [email protected] ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|