Aleks, If you're taking about full-mesh VPN with redundancies between sites, then in term of cisco, OSPF/GRE/IPsec is definitely or Dynamic Multipoint VPN (DMVPN) is the way to go. However, to my knowledge, checkpoint, in NGx release, has something called routing-based VPN, which is similar to Cisco. With routing-based VPN, you're talking about Virtual Tunnel Interface (VTI), where dynamic routing protocols can traverse and get encrypted via IPSec. I've never used VTI or routing-based VPN with Checkpoint so I can not comment on the reliability of it. However, I've setup DMVPN and OSPF/GRE/IPSec with cisco and I can tell you that it is not that difficult and very reliable. Maybe Checkpoint VTI and routing-based VPN in NGx is just reliable as well. Again, I can not comment on it because I've never tested it. From what I can see, you can run GRE tunnel on the Nokia and encrypt the GRE tunnel with IPSec. That way, you can run OSPF across the IPsec tunnel via GRE. Furthermore, running OSPF on the Nokia is FREE. Basically, you can accomplish the same thing with Nokia as you would with Cisco. I've setup GRE on Nokia and they are very simple to setup. Good luck! cisco4ng
Aleks Feltin <[EMAIL PROTECTED]> wrote: Hi folks! I am looking for your help , wchich could be a solution to my issue. I'm building a site-to-site VPN between 3 gateways. Gateways authenticate each other using the pre-shared key. Different VPN-1 versions are used with management installed on each. There is also one Nokia IP-40 embedded device. Communication between IP-40 and NGX works just perfectly, although this is not enough. To complete the goal node in LAN-A should access resources in LAN-B and vice versa. Check Point VPN guide offers 2 ways how to implement VPN routing - based on the VPN domain or using the OS routing. I believe the latter is much more harder. My first question is which one could be easier to use, and where i could find some step by step guides according the similar topology? Additionally, sharing your experience is appreciated! Here is an information about topology: VPN Domain A -- 192.168.11.0/24 | | [ 192.168.11.1 ] Firewall A (IPSO/R55W) [ 10.0.5.2 ] | | External Network -- 10.0.5.0/24 | | switch ----- 10.0.5.1 Central Gateway (IPSO/NGX) | | External Network 10.0.5.0/24 | | [ 10.0.5.4 ] Firewall B (Nokia IP-40 embedded device) [ 192.168.10.1 ] | | VPN Domain B -- 192.168.10.0/24 I hope to get some helpful answers, also i am ready to supply you with additional information if needed. with best regards, Aleks ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= --------------------------------- Do you Yahoo!? With a free 1 GB, there's more in store with Yahoo! Mail. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
