![]() ![]() Of course if don't need to access any resources in a DMZ and the Traffic from the Branch Office never normally goes near the Check Point then could simply have a Domain Based VPN and if the P2P link goes down then the traffic would revert to going to the Check Point and over the Domain Based VPN by reason of no route via the P2P. If a Domain Based VPN would simply send over the VPN and end up with Assymetric Routing. I tend to favour this as that way if any of the traffic does have to go through the Check Point, maybe accessing a DMZ resource so normally comes over the P2P link and then upto the Check Point Box to access the Server then the Check Point see's the connection via the P2P link and forwards accordingly. In the event that the Link OR the actual Router goes down at a location then the Route via the Point 2 Point link is no longer learnt and so the Route Based VPN would take over. Route Based VPN between the Branch Office and the Central Location, which will also advertise the routes but make sure have a Higher Cost so that traffic would route to the Router rather then over the VPN. So effectively the Check Point Gateway and the P2P Router are on stub networks hanging off the Core Switch, and the Core Switch makes the decision to send to the P2P router or the Check Point. This then advertises the Remote Network into the Core at the Location. ![]() Router at each location that is running Dynamic Routing. So to give a more detailed answer then would have to see a high level topology for how this fits together. Would also depend upon how the Branch Office Network route is put into the Central Office and if Traffic normally goes through the Check Point anyway. To expand on what was said then so much what you do will depend upon the topology and where the Point to Point Link actually terminates. Last resort would be running dynamic routing on both Check Points and the routers and use a route based VPN between the Check Points. or a IPSEC tunnel directly between both routers by using a NAT IP for both routers (requires SEC license on the routers).either a GRE tunnel on the router which is routed over a IPSEC tunnel between the Check Points.In our experience this type of setup is best solved by adding: VPN interfaces are configured in GAIA and depending on the number of sites you need an exponential growing number of interfaces, if you want a full mesh.VPN interfaces are supporting dynamic routing, they are not supported in VSX.A domain based VPN does not support dynamic routing.Encrypt or not? How does the gateway know when to encrypt or decrypt the traffic?.Routing, how will the traffic know which path to take?.There are a number of issues here that make this a difficult to answer item: This is one of those "I want something that is not simple" questions that customers have. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |