Two ISP Uplinks on Checkpoint route VPN Traffic seperate

[mr.blonde]

hi

i have installed a checkpoint firewall r55
and i am searching for an solution to connect a nokia 350 box
to two isp at the same time. not for fallback or loadsharing.
in this example i have two sites A and B.
i would like to route any traffic who is not a vpn traffic to the uplink number 1
and the vpn traffic through the uplink number 2. the default gateway is the primary router on the external interface
which is connect to uplink 1. behind the second external interface which is connected on uplink 2 a router is also connected
to provide a connection to the isp.

i have 3 ideas to set up this scenario

solution 1:
use only one uplink on checkpoint firewall and route only the vpn traffic over this firewall. this firewall is connected on

uplink 2
set up an proxy server and connect the proxy to the nat router directly on uplink number 1. on the proxy server i can install

a iptables firewall script to protect the applications.


solution 2:
for this scenario we use one isp and two uplinks. i can connect the provider and ask him and perhapse is possible to route

service base. traffic which have service udp 500 and esp (p50) will router via bgp over uplink 2 which is directly connected

on the isp router and all other traffic will be routed over uplink 1 which is also connected on the isp router.

solution 3:
connect the two uplinks on the checkpoint nokia box.

an example:

on site A i have the external checkpoint ip
123.123.123.10

and the internal netowrk 10.10.10.0/24 which should be tunneled

on site B i have the external checkpoint ip
234.234.234.10

and the internal network 10.10.20.0/24 which should be tunneled

i know that this ip´s aren´t correct

my idea was on site A if the network 10.10.10.0/24 will connect the network 10.10.20.0/24 on site b
a tunnel will be established over the vpn community

the frames will be encrypted and an vpn header will be attached on the frame

original frame is

source:10.10.10.0/24
destination:10.10.20.0/24

the new frame should be looks as the following after vpn encryption

new source and destination
source:123.123.123.10
destination:234.234.234.10

the original source and destination are encrypted in the frame and doesn´t visible for the kernel or the os
so it should be able to route traffic which goes to the ip 234.234.234.10 to the router from uplink 2
so the checkpoint should be used the uplink 2 only for vpn traffic and the rest over the uplink 1

can i do this with this way?
or is there an better solution


please excuse my bad english i´m from germany

[Porter]

Hey!

Basicly I have to say that the idea behind ISP RED. is to realize failover, in two mods -> primary/backup or loadsharing. Maybe I did not understand all well, don't you want to have failover? What exactly do you mean with the third setup, if you use on both sides CP for the VPN and ISP RED is setup properly it will work for all communities over both links, doesn't matter which is up, you also could use multiple entry points if one link fails. Anyway maybe you could explain again what exactly do you expect from the third setup. By the way, I'm from Germany too ;)

[mr.blonde]

hi

the 3 ideas are for the same scenario. this are my 3 solution ideas.
no i don´t want failover. i need to seperate the vpn traffic over the second provider and the "any" traffic to the provider one. on external interface from the cp (nokia) i have connectet the default router provider one and this is the default routing gateway. on a other interface (wan) interface on the same box i would like to connect the second router from provider two.

on booth sites i have an checkpoint solution.

my idea on solution 3 was to route the vpn packages whick are encryptet and changed their original source and destination address. the new destination address of the packet after vpn encryption is the external ip address of site two and so i would like to route for this destination over the second uplink on the other wan interface over provider 2

[Porter]

I think I can't help you with you needs, my experiences are that the only right way to work with 2 Links is to use the ISP RED. feature, and let CP mechansim "do the work". I also tried several setups but I always came to back to where I started. Maybe your provider can help you with custom routing, I also tried things here but I saw that most (not all) provider offering (expensive) solutions for such scenarios. Anyway, I hope you'll find a way to realize your needs.

[mr.blonde]

hi

okay maby i will try it with isp redundancy. the idea was to separate the traffic by service such as vpn traffic and all other.

i read in the checkpoint manual that only secure platform and linux (redhat) support the isp redundancy feature in r55. is this correct.

r61 support ipso too. is there a chance to configure it with r55 on ipso or sun solaris 9 platform.

[Porter]

I have no skills with CP under Solaris, maybe there's a way to get working,
I know that are limitations in R55, I wouldn't use the feature with R55, there some internal nodes from CP where some feature are not working problery, I recommend to upgrade to R60 or R61

[mr.blonde]

yes i would like to upgrade to r61 and i will use it on a ipso platform from nokia.