[vpn] RE: [FW-1] VPN with OSPF for Failover

Cardona, Alberto alberto.cardona at cnacm.com
Thu Oct 25 11:54:43 EDT 2001

What I want to do is for my friend's remote vpn sites (10) to fail over to
his secondary VPN HUB.
Here is his scenario.

He just got acquired by another company.  
His current company relies on a Full blown IPsec VPN mesh with a backup
He is running Voice over IP thru his IPsec 3DES VPN.

This new company relies on a LARGE Frame network that runs OSPF on Cisco's. 
They now want to implement a VPN running OSPF because they use OSPF.
They installed a frame link from his location (New York) to there
headquarters (Detroit).  
Now they want to implements a secondary location (Houston) which has a
internet connection and a frame connection
back into the headquarters (Detroit).
They want this secondary location (Houston) to be a backup incase his
location (New York) fails for his remote sites.

Someone within this new company mentioned that his current Nokia/Check Point
solution won't work with the  
failover design because IPsec can't handle multicast broadcast traffic (ex
They need to run OSPF for a failover design.  

Their solution is to REMOVE all of his Nokia/Check Point and implement a
Cisco Router based VPN design.
Cisco's 1750 for Remote sites and 7140 for each Hub. 
Each router both remote site and hub will have Cisco's firewall/IDS package
and encryption module
The Cisco's VPN tunnels are going to be using GRE encapsulation for the
Incase of a failover to the Secondary HUB and OSPF will update the Frame
network regarding the failover.
IPsec 3DES for the data encryption.
This new design is not going to be a MESH but a Hub and Spoke.

His problem with this HUB and SPOKE design is this.

1).  He is afraid because this design relies on a 1 tier security design.  
     The Cisco's routers will be handling the VPN, Routing Protocols,
Firewall, and IDS on each router.
     His current design is 2 tier level.
     Cisco for the Internet router and Nokia/Check Point for VPN/Firewall

2).  He thinks his Voice over IP will fail between remote sites because the
MESH will be gone.

3).  The performance an the Cisco.  Would they be able to handle the load?
     Since they will be doing everything. (VPN, Routing, and IDS)

Has anyone implemented this solution?


-----Original Message-----
From: Chris Arnold [mailto:chris.arnold at WheelHouse.com]
Sent: Wednesday, October 24, 2001 10:12 PM
To: 'Cardona, Alberto '; 'FW-1-MAILINGLIST at beethoven.us.checkpoint.com '
Subject: RE: [FW-1] VPN with OSPF

That depends on what you mean by "running site to site IPsec VPNs and using
OSPF."  Do you mean tunneling OSPF through an IPSec tunnel for some reason
or using OSPF to route traffic to available VPN endpoints before going
through a tunnel or on your edge routers once your VPN traffic has been


-----Original Message-----
From: Cardona, Alberto
To: FW-1-MAILINGLIST at beethoven.us.checkpoint.com
Sent: 10/24/01 4:16 PM
Subject: [FW-1] VPN with OSPF

Is anyone running site to site IPsec VPNs and using OSPF?
If so did you have to implement GRE?



To unsubscribe from this mailing list,
please see the instructions at

VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list