- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Third party IPSEC VPN with 2 peers
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Third party IPSEC VPN with 2 peers
Hello all, sorry if this is already answered before, I've searched here and couldn't find anything related.
We have a customer that we need to establish an "HA" IPSEC VPN, they have 2 remote peer addresses, let's name them site A and site B, both using Cisco ASA, being site A the peferable one, if it becomes unavailable, we would still have VPN established with site B.
I have a local R80.40 GW. I know I can set a VPN community and add both interoperable devices to it, but how can I be sure that the traffic would only go to site B if site A is unavailable?
I also know that I could create 2 vpn communities, but if I do that I think I would have problem with the encryption domain because they would be the same, right?
What would be the best way to achieve this setup?
Thanks!
Best Regards,
Hugo Thebas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think the simplest and most predictable way to control this would be a route-based VPN with dynamic routing. Route-based VPNs involve setting up a virtual interface (called a VTI) on your firewall which acts like a really long Ethernet cable going to the remote VPN endpoint. Since it's an interface, you can do most of the normal interface things like running OSPF or BGP on it. Once you have dynamic routing set up, the other side can control which path you prefer by tweaking router IDs, OSPF link cost, or any number of other properties.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree, but it would also be nice if Checkpoint accounted for scenario in the community ie. maybe by a priority list or recognise a back device in the community.
