On 8/2/05, Aditya Irawan <[EMAIL PROTECTED]> wrote: > > I was planning to implement MEP VPN with RIM. > So would it possible to do it with just NGX and SPLAT, or should I use SPLAT > Pro? > Since in RIM manual I found that RIM need "dynamic routing protocol to > propagate the encryption domain of a VPN-1 Pro peer gateway to the internal > network"
RIM is basically injecting a route about the VPN status, to a router which is neighbor of the central vpn/firewall gateway. Obviously for the route to be injected the vpn gateway has to be part of the routing cloud and "speak" dynamic routing, so a dynamic routing daemon is needed in the gateway. In NGX, the only *supported* way to use dynamic routing in a Check Point environment is using SPLAT Pro, so if you want to have the official CP blessing on your installation, you'd have to use SPLAT Pro. As always, you can use Zebra or install whatever on your SPLAT. This would leave your installation without support but may work. If it works this was, you're happy and don't care about support you can do it without SPLAT Pro, using purely SPLAT. > My condition: > Two ISPs link, each using FW-1 enforcement point, and 1 SmartCentre. > We're using NG FP3 at the moment. > We don't have any proxy/router gateway behind the firewalls. You mean by this, that you don't have a router in the "inside" segment, right? > So default gateway is push by DHCP server or set manually on client PCs. I'm assuming client PCs that are in the "inside" segment, again. > There would be a little hassle for browsing user when one of the ISP's link > is down. But the real problem is with VPN connection. > We cannot just change the client routing because the other gateway doesn't > have VPN connection established. Client-to-site or site-to-site VPN connection? (Seems to me client-to-site, but would like to clarify) >From inside users to an external gateway so they can use resources in a foreign network, or from external users to the gateways you manage, so they can use the resources in your "inside" network? > That's why I'm trying to implement the MEP VPN. And I'm thinking that MEP > with IP Pool NAT wouldn't work since the traffic will initiate from our site, > not from remote site. > If it's from inside usrs to the outside gateway, I don't see too much use of RIM here, especially because there's no router inside. If you're talking about site-to-site VPNs where your 2 gateways connect to foreign offices for example, and you want the gateways to automatically tell the users which of the 2 gateways they should use to get out, this is doable using a router in your inside segment, and then using RIM in the VPN gateways.... HTH. - MArtÃn. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
