• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 942
  • Last Modified:

1 LAN, 2 WAN, 2 firewalls, # vpn tunnels

We have a Checkpoint Firewall1 connected a DSL connection via a Cisco router.
We are in the process of installing a fiber connection and a new Checkpoint firewall.

We have about 20 VPN tunnels to different customers, and I would like to be able to move them, one at a time from the old firewall and DSL connection to the new firewall and fiber connection.

Is it possible to have 2 WAN and 2 Firewalls connected to the same LAN nad still control mulitple VPN connections on each firewall??

3 Solutions
yes as long as these 2 WANs have unique IPs
You may have an issue with routing on the LAN side. With 2 gateways now which one is the default for the LAN? How are you going to control routing data when you move a network from FW1 to FW2?
It will be a challenge if the Checkpoint won't redirect packets like a PIX firewall won't. You may need an internal router that will be the LAN gateway where you can control individual route statements as you need to.
As lrmoore have said, routing would be an issue on the inside.

But, I'd like to add you also have an issue on the outside. If you do not have any control on the external GWs (in the customers), and you do not wish to change the configuration on thier side, then you will need some smart routing also on the outside. And, even if the routing issue is OK, your GWs are still gonna look very different to the external machine, IP wise, and authentication wise (if using certificates).

If the external GWs are Check Point, you could try to use the version MEP methods, but honestly it would be a headache, and would require quite a bit of configuration on the external GWs, if they are not managed by the same management as yours.

Assuming the external GWs are not managed by the same management machine as your internal Firewalls, and assuming you can talk the external companies into performing changes on thier side, then the simplest and safest thing I would suggest, is putting the same the new GW, giving it a different external IP, and manage it from the same management, defining for it the same encryption domain as the first one.
Then, contact some of the external customers, and tell them to create a new GW object (while keeping the old one), and giving it the correct Enc.Dom., while nulling the Enc.Dom of the old GW. This will allow you a very quick fall-back if the VPN tunnel with the new GW doesn't work.

As to the internal routing, you might consider RIM - Routing Injection Mechanism. It basicly means that the GW which has a VPN tunnel with an external GW will advertivse to you internal routers that the remote encryption domain is now available via it. It is not easy to set-up, but once it is up and running, it would allow you quick fall-back.

To sum it up - I'll repeat what lrmoore said. This would indeed be a chalange. I realy doubt it is worth it. Personaly, I would just try make the new machine as identical to the first as possible (IPs, hostname, OS, versiosn, ...),  copy the configuration from the old machine, perform some in-house tests, and then just swap the old and the new. If VPN will work with one external peer, very high chances it will work with all 20. If you see it doesn't work, you could quite quickly swap the machines again, and try to understand what went wrong.
"the version MEP methods" -> "the various MEP methods"
soteaAuthor Commented:
Hi all...

Thanks for sharing your thoughts!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now