Jon,
First, thank you. That was very helpful.
Second, from a gateway-to-gateway standpoint (Extranet... aka encrypted tunnel), I would like to have one POP (Australia) consist of two IP110s (one primary and the other backup) and use purely VRRP without using any HA software and have this "virtual" gateway encrypt traffic to another IP440 located on another continent. If the primary gateway in Australia fails and the backup kicks in through VRRP, will the Extranet tunnel still exist or will it require manual intervention?
- Is it possible to sync the state tables on the backup gateway without using HA?
- Is it possible to share the encryption keys between the two firewalls in the Australia POP (without using HA) since apparently Stonebeat and CP HA automatically take are of this?
Thanks again,
Keyvan
-----Original Message-----
From: Jon Vandiveer [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 21, 2001 8:43 AM
To: KMoussavi
Cc: [EMAIL PROTECTED]
Subject: re: MEP
1. Current active connections do not continue onto the original VPN
destination, as there is no state table information shared between the two
FW.
Even if the information was possible to share the encryption keys of the
backup FW would be different, and the client would have to renegotiate.
2. MEP (HA for SecuRemote END users), NOT for FW's, therefore they must be
different IP's.
I suppose you could have two entry points into your network and 2 different
FW's for each of those connections, but @ that point you would be talking
about SEP (HA for FW's) or some other type of FW HA. Then the FW's would
fail over, if you were sharing state table info between them.
There is no "actual" MEP HA software, it is a built in feature to CP and the
SecuRemote/SecureClient software.
Jon
Folks,
Question regarding Check Point's MEP implementation...
1. Will current active connections stay active after a Module
switch; in case Gateway A goes down and Gateway B takes over?
2. Check Point has configuration instructions for setting up a MEP
but they have Gateway B and Gateway A on different networks. Can
both Gateways be on the same network?
Check Point specifies that the following is only needed to create a back up
gateway through MEP:
1. Install FW-1 on GWA & GWB
2. Ensure proper routing
3. Enable "backup gateway for SR"
4. Enable IP Pool (if you want)
5. Ensure no clear text topology transfer
6. Create objects for GWA & B
7. Configure SR.
What about the actual HA software. Is that not needed or will only enabling
"backup gateway for SR" take care of it?
