• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 810
  • Last Modified:

Check Point - ISDN VPN and Serial VPN to same LAN

      LAN A
Check Point Firewall
   |           |
Serial       ISDN
   |           |
    \         /
     \       /
       LAN B

OK...  I want a VPN tunnel going from LAN A to LAN B, through the Serial link, and I want a backup VPN tunnel going from LAN A to LAN B, through the ISDN link.
The trouble is, I can't see how you cann prioritise either the Serial or ISDN router on Check Point - it will just use the Serial and ISDN links in turn..
Anybody else set this up ?
Tim Holman
Tim Holman
1 Solution

I've done something very similar to this in the past: primary channel over Frame Relay with a DoD backup on ISDN.  We used Nokia boxes, and had the added complication that there were HA pairs at each end each also running VRRP.  Messy...

Anyway, the way we went about it was to let the base OS (IPSO in our case) handle routing.  In CheckPoint, the gateway on LAN A only cares about the peer IP address of its IPSec peer on LAN B.  The actual IPSec (and IKE) packets are routed by the base OS.

So, you can configure two routes in the base OS.  Set the ISDN route to have a higher cost than the serial and hey - it works!  This assumes that CheckPoint has one interface to a LAN with both Serial and ISDN gateways.

If there are actually 2 interfaces in CheckPoint, you could configure a dynamic routing protocol (such as RIP), and just cost the ISDN interface higher than the serial.  In this case, you will have to have interface spoofing on the ISDN otherwise the routing protocol will see it as down all the time.  When one goes down, the route for it should be available through the other.

If this doesn't help, then can you post some more details - specifically what version of CP on what platform, and more details on the connections between CP and the WAN interfaces?

Have fun!


Acctually there is one very simple trick you can do in this kind of situation.  
I assume that you are using some sort of router with serial and ISDN interface.  Well if it is Cisco, (and this feature is supported by some other vendors as well), defince a loopback interface on the router.  On the FW define that the peer or encription for LAN a will  be the IP address of the loopback interface of the router.  This way no matter if the connection is through the serial or ISDN, you will still have the same peer of encription for LAN A, being able to retain the sessions even when the serial is down and the ISDN is up and opposite.  If able to do this on both sides LAN A, and LAN B, then you have no problem, you are rolling.

Hope this helps
Tim HolmanAuthor Commented:
Thanks Velimir - I will set this up - a few others have suggested this too, so we must be on the right track... :)

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now