[FW-1] Site-to-site VPN with MEP

Wed, 23 Mar 2005 05:04:17 -0800 

dear guru,

Does anyone try built site-to-site with MEP

environment
Net A <--------------> FW-A <--------------> Internet
<-------ISP 1------> Link Load Balancer
(NAT)<-------------> FW-B <----------------> Net B

      ^                                            ^

      |--------------  ISP2----------------------|



We want to establish s-to-s VPN between Net A & Net B,
2 VPN Gateways, where Firewall in Site B is behind a
Link Load Balancer (NATed) connecting to two ISP.
Both FW is using NGAI R55 already and separately
managed.

Objects in FW-A
* Local_GW_FW-A
* Net_A
* Peer_GW_ISP_1
* Peer_GW_ISP_2
* Net_B

Objects in FW-B
* Local_GW_FW-B
* Net_B
* Peer_GW_FW-A
* Net_A

FW Rules
1. Net_A           Net_B         My_Intranet
Any        Allow
2. Net_B           Net_A         My_Intranet
Any        Allow

VPN Community
NAT is disabled
Shared Secret


* We tried to configure MEP, however, we found that
FW-A is trying to establish VPN to Peer_ISP1 &
Peer_ISP2 at the same time, when the failover occurs,
the traffic cannot be reached any more, where the
tunnel is health and it seems both GW (FW-A & FW-B)
using two different key for encryption & decryption.
It will become normal if we reboot both gateways.
Tried to enable "First to response" but seems it
didn't work.

* Tried to enable "Backup Gateway" listed in MEP but
fail too

Questions
1. Can we use MEP for this scenerio?  because it
virtual two entries for Net-A.

Do you have any ideas?

thanks in advance,
NICK



__________________________________
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

Reply via email to