Le 26/07/2012 8:15, East, Bill a écrit :
Nah, it's just inelegant. But I can live with it.
What I can't live with is what I found after some testing - once I defined the
VPN domains (on the Edge, just the remote subnet, on the central FW, all our
other subnets), I started to see traffic returning from the Internet (while
MPLS is up) hitting the firewall, then attempting to route through the VPN. I
assume it's being dropped at the other end because there's an ACK but no SYN
there.
Some Googling suggests that you can leave the subnets out of the VPN domain but
add static routes at different weights to the central firewall. I don't know. I
know other people have used the Checkpoint VPN as a backup before so I'm sure
it's not impossible but I'm starting to look at hiring a professional who's
done this before. It's getting complicated.
There is a technote about configuring ospf in such config to use vpn
route as backup when main link is down.
https://downloads.checkpoint.com/dc/download.htm?ID=6940
If you can't get the file just sent me a direct email and I'll forward
it to you.
document is quite old but config shoudl still work.
It requires ospf at local site and route based vpn config.
Scanned by Check Point Total Security Gateway.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ow...@ts.checkpoint.com
=================================================