 Re: Check Point VPN design
Here is my thought on this.
I came from a school of thought where I think firewall should be left alone
doing firewall. VPN, remote access or L2L, should be done on Cisco IOS
routers.
If you want to design a network with fully redundant and automatic failover,
I suggest you looking at using GRE/IPSec and either Eigrp or OSPF . Basically
you place an IOS routers on the DMZ at each site where you do GRE/IPSec and
tunnel your dynamic routing protocol. In case your 2GB internal link goes down,
traffics between siteA and siteB will continue to communicate with each
other via the VPN. When the 2GB link comes back online, it will take over
because it has the shortest path between siteA and siteB as compared to
GRE/IPSec tunnel |