4.0 WILL NOT failover VPN connections of any sort.. Its just plain not in
the state table, and aint gonna happen. 4.1 SP1 introduced VPN failover,
most specifically MEP and SEP. I think www.checkpoint.com/~joe has a
discussion on MEP (Multiple Entry Point) and SEP (Single entry point)On
another note conerning state table sync, 4.1 SP2 changes the state
syncronization from TCP based to UDP based. Which supposedly will speed up
state syncronization. I have yet to test the UDP based state sync, but it
sounds like it is bound to speed things up. After we do some testing, I will
post the results. In a really busy network, it is nearly impossible for the
state tables to match in 2 or more boxen.
Frank
-----Original Message-----
From: Harry Chu [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 18, 2000 3:40 PM
To: Carric Dooley
Cc: [EMAIL PROTECTED]
Subject: Re: [FW1] Nokia HA VPN Failover
I agree, I don't believe 4.0 can handle failover of established VPN
Sessions.
I believe it is possible to support this with verion 4.1's Cluster
Configuration and it should work with VRRP/IPSO. We are presently doing it
with Sun's configured with Stonebeat and the failover of VPN Sessions does
work.
I believe the problem with VRRP is that the virtual IP is basically used
for switching packets, hence for routers and neighboring systems to pass
packets to. When establishing a VPN(4.0), the client (gateway or client)
is connecting and negiotating with the firewall's IP Address. When failure
occurs, that address no longer exist, therefore reconnection is necessary.
With 4.1 clients will be connecting to the the VIP rather than the real ip
of one of the firewalls.
HC
"Carric Dooley" <[EMAIL PROTECTED]> on 07/18/2000 03:13:31 PM
To: "David Wong" <[EMAIL PROTECTED]>,
[EMAIL PROTECTED]
cc: (bcc: Harry Chu/SIAC)
Subject: Re: [FW1] Nokia HA VPN Failover
I don't think VPN will work with failover. The VPN is created on that box
and does not translate over (if they don't have a fix for that yet).
----- Original Message -----
From: "David Wong" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, July 18, 2000 11:12 AM
Subject: [FW1] Nokia HA VPN Failover
>
> Does anyone have info on having Checkpoint 4.0 failover a Lan to Lan VPN
> (both using Checkpoint/Nokia IP440)? Failover for internet connectivity
> works, but the VPN does not. Can anyone verify whether this can or can
not
> be done? Is it a timing issue with ISAKMP?
>
> TIA,
> David
>
>
>
===========================================================================
=
====
> To unsubscribe from this mailing list, please see the instructions
at
> http://www.checkpoint.com/services/mailing.html
>
===========================================================================
=
====
>
===========================================================================
=====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
===========================================================================
=====
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
