Check Point VPN design

[Testing-123]

Hi All,

I'm going DR crazy and looking at ways to implement DR across our two main data offices in London :-)

Site A and B in London both have an internet pipe of equal size. We have a Check Point VPN cluster in site A and I’m considering purchasing a Check Point VPN cluster for site B. The cluster is serving as an IPSEC endpoint for remote users and sites. Both site A and B have a 2 GIG internal between them. Currently when site A's Internet link fails our dynamic routing advertises our site A addresses from site B's internet router and we just route site A addresses through B to get to A. This model works fine.

However, i'm trying to convince myself we need a VPN terminating device at site B too but i like the model we currently use as it works well :-)

I'm curious as to how others have implemented VPN resiliency across their sites?

Any views, suggestions on this?

I personally do not see the benefit unless you would want to split load across the two sites or did not have an internal link between two of your sites.

Cheers
Testing-123

[Thorpuse]

Only 2 things I can think of -

1. How reliable is your 2Gig internal link? Do you need a redundant path between sites? The VPN could buy you that.

2. Do you have a requirement for Remote Access VPN? The second termination point would buy you a MEP RA setup.

That's abou it though. Considering you've got a big internal pipe, there's no real gains from an internet-based tunnel as well, unless there's a particular need for more bandwidrth.

[cciesec2006]

Here is my thought on this.

I came from a school of thought where I think firewall should be left alone
doing firewall. VPN, remote access or L2L, should be done on Cisco IOS
routers.

If you want to design a network with fully redundant and automatic failover,
I suggest you looking at using GRE/IPSec and either Eigrp or OSPF . Basically
you place an IOS routers on the DMZ at each site where you do GRE/IPSec and
tunnel your dynamic routing protocol. In case your 2GB internal link goes down,
traffics between siteA and siteB will continue to communicate with each
other via the VPN. When the 2GB link comes back online, it will take over
because it has the shortest path between siteA and siteB as compared to
GRE/IPSec tunnel

[Testing-123]

Hi,

Thank you both for your replies, intresting.

How does MEP work? If i a have a remote site called site C and remote workers. How can they "automatically" flips between site A and site B VPN firewalls? I do not want a situtation where if site A is down, users and remote firewall administrators have to change where they peer too manually.

Regards
Testing-123

[Testing-123]

Hi ciesec2006,

Intresting comments, sounds like something i need to try out in the lab. However, a cisco IOS router does not allow you to do NAT (i.e source and destination in a tcp connection) which is what a lot of my VPN are setup to do.

But i do agree with a firewall remaing firewalls. My blood boils when i get asked to setup up dynamic objects to resolve domain names! Firewalls rules should not be populated using DNS servers replies! it just introduces another point of vulnerability to your firewalls....

Regards
Testing-123

[cciesec2006]

Quote:

Originally Posted by Testing-123

Hi ciesec2006,

Intresting comments, sounds like something i need to try out in the lab. However, a cisco IOS router does not allow you to do NAT (i.e source and destination in a tcp connection) which is what a lot of my VPN are setup to do.

Cisco IOS can do NAT easily in a tcp connection; however, You can terminate
VPN on Cisco devices and do NAT on the firewalls.

My preference is to do NAT on the firewalls. Checkpoint is great at that.
VPN on Cisco IOS because routers are great at VPN.

You will find that it will make your life much easier in term of troubleshooting
and support.

my 2c

[Testing-123]

Hi cciesec2006,

What i meant was can you NAT the source and destination in one tcp connection on a cisco IOS router? With Check Point, you just add a translate source and destination entry in one NAT rule. Correct me if i'm wrong but with Cisco you can't do this. You either NAT the source or the destination?

Regards
Testing-123

[chillyjim]

Not to start the next holy war here but...

S2S VPN if you do not manage both sites and both sites are not Check Point, then I agree you might as well let the router do it.

If both sites are managed by you and they are Check Point, it's just too easy to let the VPN-1 do it.

As for Client-to-site (aka remote access) VPN-1 or if you really want Cisco then an ASA, not a router.

Now as for MEP, If its all Check Point under the same SmartCenter/P-1 it will pretty much take care of itself when you when you have multiple center gateways for a remote access community.

For an s2s, you need to go to advanced setings->MEP to enable it.

If this is a full DR site, with replicated servers and the like, you need the firewall. If its just a POP with a leased line back to the main site, and that line terminates outside the firewall, then don't worry about it.

[MarioL]

I also believe that the VPN features of Check Point are really sweet and I would definitely do the VPNs on the firewalls, both client-2-site and site-2-site (I'm a bit partial to Check Point, yeah).

MEP is quite easy and works well, when the client realizes it can't connect to the main site, it will just use the secondary one.

[cciesec2006]

This is a typical design for an enterprise.

The reason that most companies go with VPN Concentrator for remote access
and IOS routers for L2L VPN is because the flexibilities with IOS routers and
VPN concentrators to be able to do GRE/IPSec and dynamic routing protocols
within the IPSec tunnel. NAT on checkpoint is the best because it is
so flexible.

Just abpit every place I work uses this design.

[Testing-123]

So i guess MEP works with site-to-site VPN's too? If a remote VPN firewall cannot peer to site A it will peer to site B? What happens when A is back on-line?

Will do some reading on MEP ....

Thank you all for your input.

Regards
Testing-123