cisco4ng,
Thanks for you answer, but could you please provide me with a some
howto's on the setting up GRE tunnel on Nokia.
I am sorry, i am not such a technical when it comes to the routing. I
will start to learn this stuff soon.
Aleks,
If you're taking about full-mesh VPN with redundancies between sites, then
in term of cisco, OSPF/GRE/IPsec is definitely or Dynamic Multipoint VPN
(DMVPN) is the way to go. However, to my knowledge, checkpoint, in NGx
release, has something called routing-based VPN, which is similar to Cisco.
With routing-based VPN, you're talking about Virtual Tunnel Interface (VTI),
where dynamic routing protocols can traverse and get encrypted via IPSec.
I've never used VTI or routing-based VPN with Checkpoint so I can not comment
on the reliability of it. However, I've setup DMVPN and OSPF/GRE/IPSec with
cisco and I can tell you that it is not that difficult and very reliable.
Maybe
Checkpoint VTI and routing-based VPN in NGx is just reliable as well. Again,
I can not comment on it because I've never tested it.
From what I can see, you can run GRE tunnel on the Nokia and encrypt the GRE
tunnel with IPSec. That way, you can run OSPF across the IPsec tunnel via GRE.
Furthermore, running OSPF on the Nokia is FREE. Basically, you can accomplish
the same thing with Nokia as you would with Cisco. I've setup GRE on Nokia and
they are very simple to setup.
Good luck!
cisco4ng
Aleks Feltin <[EMAIL PROTECTED]> wrote:
Hi folks!
I am looking for your help , wchich could be a solution to my issue.
I'm building a site-to-site VPN between 3 gateways. Gateways
authenticate each other using the pre-shared key. Different VPN-1
versions are used with management installed on each. There is also one
Nokia IP-40 embedded device.
Communication between IP-40 and NGX works just perfectly, although this
is not enough. To complete the goal node in LAN-A should access
resources in LAN-B and vice versa.
Check Point VPN guide offers 2 ways how to implement VPN routing - based
on the VPN domain or using the OS routing. I believe the latter is much
more harder.
My first question is which one could be easier to use, and where i could
find some step by step guides according the similar topology?
Additionally, sharing your experience is appreciated!
Here is an information about topology:
VPN Domain A -- 192.168.11.0/24
|
|
[ 192.168.11.1 ]
Firewall A (IPSO/R55W)
[ 10.0.5.2 ]
|
|
External Network -- 10.0.5.0/24
|
|
switch ----- 10.0.5.1 Central Gateway (IPSO/NGX)
|
|
External Network 10.0.5.0/24
|
|
[ 10.0.5.4 ]
Firewall B (Nokia IP-40 embedded device)
[ 192.168.10.1 ]
|
|
VPN Domain B -- 192.168.10.0/24
I hope to get some helpful answers, also i am ready to supply you with
additional information if needed.
with best regards,
Aleks
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
---------------------------------
Do you Yahoo!?
With a free 1 GB, there's more in store with Yahoo! Mail.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
