[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Hub and Spoke VPN
> Hub and spoke is the way to go, with a router at the hub to direct traffic > to all the spokes. A fully meshed VPN is very easy to setup, but you have to have a single EMC. With multiple management consoles the shared secrets become a lot harder to keep track of. I have a 27 office fully meshed VPN under my control and adding offices has always been relatively simple. I have one rule for all of the VPN's, as well as a single EMC. Multiple rules would not be too bad but multiple EMC's would make this an absolute pain. > traversing the fw twice to go from spoke to spoke could be considered bad, > but life is easy for admin. I do not have the bandwidth for 26 other offices to do all their inter-office communication through any one other office. As a result, a fully meshed VPN was my only choice in this case. As far as configuring this goes: The firewall will be receiving the packets from each office. It will need to decrypt them, route them, and then re-encrypt them out the same interface. Unfortunately I do not know what CheckPoint would do in this situation. A router receiving traffic and sending it out the same interface would throw an ICMP redirect, however with CheckPoint in the middle of things it becomes a lot more confusing. Unfortunately this boils down to my not having an answer for you. -Don ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|