[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Re-Routing VPN Traffic
Larry Pingree wrote: > Hmm.. I think the only way to do this would be fully meshed. Anyone else > have any ideas on this one? T.Higgins wrote: > We have a similar problem - although ours is made worse by the fact that > the single connection point in our case is running on a Nortel VPN box:- > > SiteA - - CPpointVPN - - Site B - - Nortel VPN - - Site C > > SiteA to B no problem, Site B to C no problem, Site A to C doesn't work - > get dest unreachable from traceroute (from an ISP router) but can't see > any obvious routing config errors at our end. > > Any ideas on our situation would help. Since I connected a second leaf site through another VPN box (cisco) last week, I got some new experiences on this. I _is_ possible to re-route VPN-traffic through several tunnels, but you have to mess around with the encryption domain settings. Here is what one is supposed to do in my example: Site D (new) 10.30/21 +------+ | | +------+ : : : : +------+ | | Site A +------+ 10.31/21 /\ / \ / \ / \ / \ / \ / \ +------+ +------+ Site B | |------| | Site C 10.32/21 +------+ +------+ 10.33/21 - Define Site A and D to be the ED of Site A at Site B - Define Site A and D to be the ED of Site A at Site C - Define Site A, B and C to be the ED of Site A at Site D - At Site A define the original ED for each other Site Be aware, that re-routing through multiple tunnels doesn't increase round-trip-times and reliabilty. And it is a horrible task to maintain such a VPN when different administrators are involved... ;) Perhaps someone knows a kind of Design-Guide for large VPNs. Didn't find something like this on checkpoint.com :( Bye, Elchy Disclaimer: I'm not absolutely sure that above configuration is working. My own VPN looks somewhat different and includes devices of other manufacturers. Please correct me, if I'm wrong. -- A. Eltrich - mailto:[email protected] LAN/WAN System Engineer - http://www.inotronic.de/ inotronic Computers GmbH - Pfaelzer-Wald-Str. 70 D-81539 Muenchen - Tel: +49-89-439007-0 - Fax: -41 ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|