Static Routing and VPN Domain

Binary_01 · #1 (**permalink**) 2007-05-30

Setup: NGX R62 on SPLAT in HA

Ok I have 2 gateways in a vpn mesh. Those 2 gateways also have a Lan Extension between each other.

Basically the lanex terminates on the physical interfaces of both firewalls.

Right now, even if I added a static route to route the traffic via the LanEx, the traffic still gets routed via the VPN tunnels.

Ideally, I would like to take advantage of my 100mbit lanex and use it in priority and use the VPN tunnel as a failover.

Can someone point me in the right direction?

Regards,

Binary_01 · #2 (**permalink**) 2007-05-30

I have a feeling that it has to do with the vpn_route.conf file...

mcnallym · #3 (**permalink**) 2007-06-06

Apologies if you have already been told this, In terms of Check Point routing then I understand (from being told by Check Point) that if there is a VPN between two gateways then this takes precedence over static routes.

What I would suggest that you do is place a pair of routers between the LAN and the Check Point and then plug the LANEX into the Routers. You can then use the Routers to control routing, with the VPN being there as a secondary route.

Binary_01 · #4 (**permalink**) 2007-06-07

Thank you for replying, this was actually my plan B, Plan B setup is what I saw in other companies.

But my boss insists that the LanEx passed thru the Firewall.

Now I'm thinking that I should be able to do what I want by creating a site to site vpn tunnel with the other checkpoint connected at the other end of the LanEx.
So my two sites would have redundant VPN links with each other. One thru the LanEx and one thru the internet.

What do you guys think about that? Will I be able to set a metric on the LanEx VPN and use the Internet VPN as failover? Will I need to use SPLAT pro to do this? We don't have SPLAT Pro and prefer to keep it simple and not use any routing protocols. I would find it odd if this would not be supported... We should be able to create redundant VPN tunnels and set metric like we do with routers. I guess I would have to setup a traditional VPN in order to accomplish this.

chillyjim · #5 (**permalink**) 2007-06-10

You can use VPN link selection to do this.

Use VPN->Link Selection->Use a Probing Method->Using on going Probing

Binary_01 · #6 (**permalink**) 2007-06-13

I appreciate your input!!

Thanks guys!

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode