Check Point - ISDN VPN and Serial VPN to same LAN
LAN A
|
Check Point Firewall
| |
Serial ISDN
| |
\ /
\ /
LAN B
OK... I want a VPN tunnel going from LAN A to LAN B, through the Serial link, and I want a backup VPN tunnel going from LAN A to LAN B, through the ISDN link.
The trouble is, I can't see how you cann prioritise either the Serial or ISDN router on Check Point - it will just use the Serial and ISDN links in turn..
Anybody else set this up ?
|
Check Point Firewall
| |
Serial ISDN
| |
\ /
\ /
LAN B
OK... I want a VPN tunnel going from LAN A to LAN B, through the Serial link, and I want a backup VPN tunnel going from LAN A to LAN B, through the ISDN link.
The trouble is, I can't see how you cann prioritise either the Serial or ISDN router on Check Point - it will just use the Serial and ISDN links in turn..
Anybody else set this up ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Velimir - I will set this up - a few others have suggested this too, so we must be on the right track... :)
I've done something very similar to this in the past: primary channel over Frame Relay with a DoD backup on ISDN. We used Nokia boxes, and had the added complication that there were HA pairs at each end each also running VRRP. Messy...
Anyway, the way we went about it was to let the base OS (IPSO in our case) handle routing. In CheckPoint, the gateway on LAN A only cares about the peer IP address of its IPSec peer on LAN B. The actual IPSec (and IKE) packets are routed by the base OS.
So, you can configure two routes in the base OS. Set the ISDN route to have a higher cost than the serial and hey - it works! This assumes that CheckPoint has one interface to a LAN with both Serial and ISDN gateways.
If there are actually 2 interfaces in CheckPoint, you could configure a dynamic routing protocol (such as RIP), and just cost the ISDN interface higher than the serial. In this case, you will have to have interface spoofing on the ISDN otherwise the routing protocol will see it as down all the time. When one goes down, the route for it should be available through the other.
If this doesn't help, then can you post some more details - specifically what version of CP on what platform, and more details on the connections between CP and the WAN interfaces?
Have fun!
Matt.