Hi,
Old message, but I new to the list and found it while browsing the
archives. Just an update: you can do GRE tunnel using R55. I have done it
and works fine. SPLAT PRO is not necessary for this. Just load the module
"ip_gre" and configure the tunnel. A sample config:
Step 1 - disable local interface anti-spoofing. This is needed because
firewall will drop tun1 packets because it contains another's interface
address as source:
/opt/CPfw1-R55/bin/fw ctl set int fw_local_interface_anti_spoofing 0
(please, be aware of security implications of doing that!!)
Step 2 - load the gre module:
/sbin/modprobe ip_gre
Step 3 - Set the tunnel
/sbin/ip tunnel add name tun1 mode gre local 10.x.x.253 remote 10.y.y.220
/sbin/ip link set tun1 up
/sbin/ip addr add 172.x.x.y peer 172.31.y.x dev tun1
Step 4 - add the routes will need
/sbin/ip route add 172.31.bla.0/24 dev tun1
/sbin/ip route add 172.31.blabla.0/24 dev tun1
You done, add the tun0 interface to the firewall's object topology in
smartcenter. To save the config, add the commands to rc.local.
Now, note that having a GRE tunnel is not enough to route multicast over
SPLAT. If you use PIM, DVMRP, MOSPF or anything else, you still have to use
a daemon to route multicast, as splat don't do that in kernel. Splat pro
comes with gated software that does multicast routing.
Rgds,
JF
On 8/25/05, cisco4ng <[EMAIL PROTECTED]> wrote:
I've limited experiences with NGx so I can NOT comment much on
it. However, I do have
experience with R55w on SPLAT and I can offer the following advice:
Routing on SPLAT in R55w in Zebra, in NGx they called it something else
but I still zebra
directory in NGx so it may be different only to the CP marketing/sale
guys. SPLAT R55w
can not terminate GRE on the interface itself, you need to use Nokia for
that. Nokia IPSO
can terminate GRE on the interface. Zebra in SPLAT, AFAIK, can only do
RIP, OSPF, BGP,
etc.. and nothing else.
If you are looking to route multicast traffics, your options would either
to use Nokia
or Cisco IOS router that will perform GRE so that it will tunnel routing
protocols and multicast
traffics such as VoIP traffics for you. After that, you can protect the
GRE traffics with the
IPSec VPN. That's why they call it GRE/IPSec.
I also heard that with Cisco IOS release 12.4 and later, there is a
feature that you do not need
to use GRE to route multicast traffics and it is not Dynamic Multipoint
VPN either. I would
imagine that Checkpoint has something similar in NGx that is compatible
with Cisco in IOS
release 12.4.
Before you invest in SPLAT Pro, talk to your Checkpoint rep. and requested
to talk to a CP
engineer (not sale engineer) but someone who is familiar with what I just
described above.
AFAIK, SPLAT Pro is NOT cheap and it may not meet the requirements you
described.
Good Luck!
cisco4ng
FW-1 Emails <[EMAIL PROTECTED]> wrote:
Does anyone have any recommendations for, or want to share experiences
in, getting multicast traffic operational between sites via VPN? I
understand SPLAT Pro offers multicast routing but I have also read
something regarding GRE encapsulation of multicast traffic but not sure
how this would work on regular SPLAT. Just wanted input before I make a
commitment to SPLAT Pro. All feedback is greatly appreciated.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
