Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] Nokia VPN NG or NGX OSPF

from Chris Lyon [Permanent Link]
Subject: Re: [FW-1] Nokia VPN NG or NGX OSPF
From: Chris Lyon <cslyon AT GMAIL DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Tue, 23 Aug 2005 15:56:31 -0700 
Sort of. I would hope that the Nokia's are more involved in the
Dynamic side of things.

Site A                                                       Site B
CoreSwitch1 <--->NG<------vpn------>NG<--->CoreSwitch2
    \                                                                       /
     \--------------- Router <----------------> Router -----------/

Site A and Site B will connect primary via the VPN Network. All
clients on both sides will Default Gateway to their CoreSwitch.
Hopefully the Checkpoint on Site A will advertise the route from the
tunnel configuration. If the tunnel is down, it will not advertise the
route. The routers on either side will be costed higher so that the
VPN is used as primary.

another catch, you can't just static in the routes in the Nokia and
redistrube because you will black hole the network.

Thoughts?

On 8/23/05, Christopher Hoff <choff AT truenorthsolutions DOT net> wrote:
> If I understand what you are looking for, NGX will allow you to do it.
> Basically, I think you want to be able to send Dynamic Routing Protocols
> (OSPF) through the tunnel. With my limited Dynamic Routing experience, I
> would expect that if the tunnel were to go down, the 2 "neighboring
> routers" would no longer be able to talk, and therefore the route would
> be deleted if the tunnel went down.
> 
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Chris
> Lyon
> Sent: Tuesday, August 23, 2005 3:00 PM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: Re: [FW-1] Nokia VPN NG or NGX OSPF
> 
> On 8/23/05, cisco4ng <cisco4ng AT yahoo DOT com> wrote:
> > The firewall has a default gateway and the default gateway will take
> care of
> > that.  You don't need to add any static routes unless you are
> terminating VPN
> > on interfaces that do not use the default gateway.
> 
> Let's say that the firewall isn't the default gateway. Will the Nokia
> advertise the route for a network on the other end of a VPN tunnel
> using Checkpoint? If I can remember right, FP3 didn't do this as
> Checkpoint didn't pass routing information down to IPSO. Does anybody
> know?
> 
> 
> >
> > Questions 2 and 3 are not relevant unless you're talking GRE/IPSec.
> Cisco IOS
> > supports tunneling GRE inside an IPSec tunnel.  I think Nokia can do
> the same
> > thing.  In case of tunneling GRE inside IPSec tunnel, then the routes
> will go away
> > if the VPN goes down, which makes sense because the IPSec tunnel is
> used to
> > transport/encrypt GRE.
> 
> Now, if the question above is a YES, then Q2 and Q3 become relevant.
> BTW, I am not talking GRE/IPSec.
> 
> 
> >
> > HTH
> >
> > Chris Lyon <cslyon AT GMAIL DOT COM> wrote:
> > A few questions around Checkpoint NG or NGX on Nokia -
> >
> > 1) If you configure a VPN for a remote location, to another Checkpoint
> > or Juniper or Cisco as the other end, does CP enter one or more routes
> > representing the remote site address space into the Nokia OS?
> > 2) If not, how does the Firewall know where to route the packets?
> > 3) If the VPN goes down do the routes then go away?
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-owner AT ts.checkpoint DOT com
> > =================================================
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-owner AT ts.checkpoint DOT com
> > =================================================
> >
> 
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
> IMPORTANT: The information contained in this electronic message and/or its
> attachments is intended only for the use of the individual(s) named above and
> may contain information that is privileged and/or confidential. If you are not
> the intended recipient, please notify the sender immediately by reply and
> immediately delete this message and all its attachments without making any
> copies or distributions thereof. Any review, use, reproduction, disclosure or
> dissemination of this message or any attachment by an unintended recipient is
> strictly prohibited and may violate copyrights and/or other laws. Neither the
> sender, his or her employer nor any of their respective affiliates makes any
> warranties as to the completeness or accuracy of any of the information
> contained herein or that this message or any of its attachments is free of
> viruses.
> 
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [FW-1] Nokia VPN NG or NGX OSPF, Christopher Hoff
Next by Date:  Re: [FW-1] How to restore the rule database?? - Disaster, Harold Rugama C
Previous by Thread:  Re: [FW-1] Nokia VPN NG or NGX OSPF, Christopher Hoff
Next by Thread:  [FW-1] VPN Tab in NGX SmartConsole, Lyle Dove
Indexes:  [Date] [Thread] [Top] [All Lists]