Re: [FW1] Re-Routing VPN Traffic

Sun, 29 Apr 2001 05:59:51 -0700 


Larry Pingree wrote:
> Hmm.. I think the only way to do this would be fully meshed. Anyone else
> have any ideas on this one?


T.Higgins wrote:
> We have a similar problem - although ours is made worse by the fact that 
> the single connection point in our case is running on a Nortel VPN box:-
> 
> SiteA - - CPpointVPN - - Site B - - Nortel VPN - - Site C
> 
> SiteA to B no problem, Site B to C no problem, Site A to C doesn't work - 
> get dest unreachable from traceroute (from an ISP router) but can't see 
> any obvious routing config errors at our end.
> 
> Any ideas on our situation would help.

Since I connected a second leaf site through another VPN box (cisco) last
week, I got some new experiences on this.

I _is_ possible to re-route VPN-traffic through several tunnels, but you
have to mess around with the encryption domain settings. Here is what one
is supposed to do in my example:


                      Site D (new)
                       10.30/21
                       +------+
                       |      |
                       +------+
                          :
                          :
                          :
                          :
                       +------+
                       |      |  Site A
                       +------+ 10.31/21
                          /\
                         /  \
                        /    \
                       /      \
                      /        \
                     /          \
                    /            \
                +------+      +------+
        Site B  |      |------|      |  Site C
       10.32/21 +------+      +------+ 10.33/21

 - Define Site A and D to be the ED of Site A at Site B
 - Define Site A and D to be the ED of Site A at Site C
 - Define Site A, B and C to be the ED of Site A at Site D
 - At Site A define the original ED for each other Site

Be aware, that re-routing through multiple tunnels doesn't increase
round-trip-times and reliabilty. And it is a horrible task to maintain such
a VPN when different administrators are involved... ;)

Perhaps someone knows a kind of Design-Guide for large VPNs. Didn't find
something like this on checkpoint.com :(

Bye, Elchy

Disclaimer: I'm not absolutely sure that above configuration is working. My
            own VPN looks somewhat different and includes devices of other
            manufacturers. Please correct me, if I'm wrong.
-- 
 A. Eltrich  -  mailto:[EMAIL PROTECTED]
 LAN/WAN System Engineer - http://www.inotronic.de/
 inotronic Computers GmbH  -  Pfaelzer-Wald-Str. 70
 D-81539 Muenchen - Tel: +49-89-439007-0 - Fax: -41


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to