Thread: Two ISP Uplinks on Checkpoint route VPN Traffic seperate
View Single Post
  #1 (permalink)  
Old 2006-09-21
mr.blonde mr.blonde is offline
Junior Member
  
Join Date: 2006-09-21
Posts: 4
Rep Power: 0
mr.blonde has an average reputation (10+)
Default Two ISP Uplinks on Checkpoint route VPN Traffic seperate
hi

i have installed a checkpoint firewall r55
and i am searching for an solution to connect a nokia 350 box
to two isp at the same time. not for fallback or loadsharing.
in this example i have two sites A and B.
i would like to route any traffic who is not a vpn traffic to the uplink number 1
and the vpn traffic through the uplink number 2. the default gateway is the primary router on the external interface
which is connect to uplink 1. behind the second external interface which is connected on uplink 2 a router is also connected
to provide a connection to the isp.

i have 3 ideas to set up this scenario

solution 1:
use only one uplink on checkpoint firewall and route only the vpn traffic over this firewall. this firewall is connected on

uplink 2
set up an proxy server and connect the proxy to the nat router directly on uplink number 1. on the proxy server i can install

a iptables firewall script to protect the applications.


solution 2:
for this scenario we use one isp and two uplinks. i can connect the provider and ask him and perhapse is possible to route

service base. traffic which have service udp 500 and esp (p50) will router via bgp over uplink 2 which is directly connected

on the isp router and all other traffic will be routed over uplink 1 which is also connected on the isp router.

solution 3:
connect the two uplinks on the checkpoint nokia box.

an example:

on site A i have the external checkpoint ip
123.123.123.10

and the internal netowrk 10.10.10.0/24 which should be tunneled

on site B i have the external checkpoint ip
234.234.234.10

and the internal network 10.10.20.0/24 which should be tunneled

i know that this ipīs arenīt correct

my idea was on site A if the network 10.10.10.0/24 will connect the network 10.10.20.0/24 on site b
a tunnel will be established over the vpn community

the frames will be encrypted and an vpn header will be attached on the frame

original frame is

source:10.10.10.0/24
destination:10.10.20.0/24

the new frame should be looks as the following after vpn encryption

new source and destination
source:123.123.123.10
destination:234.234.234.10

the original source and destination are encrypted in the frame and doesnīt visible for the kernel or the os
so it should be able to route traffic which goes to the ip 234.234.234.10 to the router from uplink 2
so the checkpoint should be used the uplink 2 only for vpn traffic and the rest over the uplink 1

can i do this with this way?
or is there an better solution


please excuse my bad english iīm from germany
Reply With Quote