I have a relatively involved issue, but I will keep it short and easy to read. I am using NG AI (R55) on 5 gateways. All gateways are protecting local networks also attached to a frame-relay network. I am looking to provide a VPN failover in the event the frame goes down. I CAN accomplish this by configuring each firewall to not recognize the other networks, but then remote networks can't access the remote firewalls for obvious reasons. The reason I need this is so that if a circuit goes down on the internet side, the traffic is being re-routed to another site for internet access. I am running SPlat utilizing OSPF for the routing updates (which work like a charm). I am facing 3 problems in making this work properly.
2) Anti-Spoofing no longer allows you to make an address valid on both interfaces! I used to be able to configure it as Others+ and add the local networks to both interfaces with older versions of checkpoint.
3) In the event that the traffic needs to be routed back the the local router (for instance traffic is still being routed to a firewall right after the circuit goes down) I need to send the traffic back to the local router...AND NOT ENCRYPT IT! Can I put a rule just on the external interface that will encrypt only if it routes across that interface?
I have looked through every checkpoint book (including Phoneboy's) to see if some information like this exists. I really appreciate any help.
Ok, not sure if anyone is actually interested in this topic, but I got the solution...and it is a damn good one! I used GRE between my cisco frame routers, and I created a unique loopback address for each router as the source and destinations of the GRE tunnels so that I didn't have any overlap on the encryption domains. I am also running OSPF over those tunnels so it works very, very efficiently. I can shut down serial interfaces almost anywhere and still have connectivity through my main OSPF area 0 and have the internal cisco routers handle it perfectly. All of the GRE traffic is encrypted as well. I will be glad to help anyone out if they are interested because I got this idea from an old newsgroup on Phoneboy.
