[vpn] RE: [FW-1] VPN with OSPF for Failover

Cardona, Alberto alberto.cardona at cnacm.com
Fri Oct 26 13:12:37 EDT 2001

As for security involving protecting the VPN appliance.
Is safe to assume the Firewall capabilities of the Cisco Router add-on
Firewall package (CBAC) is equivalent to 
Check Point FW-1?  We are now comparing Firewall to Firewall.
If they are comparable.
Then I should be able to replace my Check Point firewall with a Cisco Router
using its firewall add-on package.

One more thing involving Multicast.
Does the IP stack of a Nokia or Cisco support ip-multicast protected by
I read a document regarding this proposal.
It was called "An IPSec-based Host Architecture for Secure Internet
I guess it is similar to IAB SMuG.



-----Original Message-----
From: Stephen Hope [mailto:stephen.hope at energis.com]
Sent: Friday, October 26, 2001 4:10 AM
To: 'Cardona, Alberto'; 'Chris Arnold';
'FW-1-MAILINGLIST at beethoven.us.checkpoint.com '; vpn at securityfocus.com
Subject: RE: [vpn] RE: [FW-1] VPN with OSPF for Failover


i work as a designer / consultant for a UK reseller of both cisco and nokia
- so i have some bias for this type of project.

1 point - the Nokia running checkpoint does support OSPF.

your friend may be able to extend his VPN to the new site, then interconnect
at the 2 hub point and exchange OSPF routes with the cisco system. 

If nothing else this should reduce capital cost and project complexity,
although i think your "all cisco" design could be cheaper in year on year
support charges.

However, the critical bit with a hybrid system is what happens under fault
conditions - the checkpoint topology you describe probably doesnt react
effectively to system faults - you description implies there isnt any
resilience at the moment, whereas a dual centred star type topology can
survive a hub site failure.

If you can make the nokia system reroute around a fault (the major fault to
worry about is failure of a hub site), then the existing VPN will interwork
OK - if you cant resolve that issue then replacement may be the only option.

standing back from this i have 2 comments:

1.	If voice transport is an issue, then the requirement MUST be written
down in the project scope for this migration - your friend should be giving
input to that process. Hopefully, if it isnt, there is some broad comment
somewhere about "maintain existing services and performance"

2.	This is a classic example of a project which needs to be modelled on
a bench before anyone tinkers with the real network - you are not going to
get clear unambiguous known solutions to this unless you "kick the tires"
before you start.

It is possible that the proposal for cisco replacement is there to give
either a worst case cost model, or a system design which reduces skills,
support costs and so on - if you dont know what is important is setting the
project up, and make sure existing requirements are taken into account, then
this migration is going to be difficult.

Finally, check to see if existing uses have been taken into account - Nokia
is often used as a remote access gateway, and a change to cisco may involve
reworking every RAS client to go from checkpoint VPN client to Cisco......



Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk,
Energis UK, WWW: http://www.energis.com
Carrington Business Park, Carrington, Manchester , UK. M31 4ZU
Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776

> -----Original Message-----
> From: Cardona, Alberto [mailto:alberto.cardona at cnacm.com]
> Sent: 25 October 2001 16:55
> To: 'Chris Arnold'; 'FW-1-MAILINGLIST at beethoven.us.checkpoint.com ';
> vpn at securityfocus.com
> Subject: [vpn] RE: [FW-1] VPN with OSPF for Failover
> What I want to do is for my friend's remote vpn sites (10) to 
> fail over to
> his secondary VPN HUB.
> Here is his scenario.
> He just got acquired by another company.  
> His current company relies on a Full blown IPsec VPN mesh 
> with a backup
> ISDN.  
> He is running Voice over IP thru his IPsec 3DES VPN.
> This new company relies on a LARGE Frame network that runs 
> OSPF on Cisco's. 
> They now want to implement a VPN running OSPF because they use OSPF.
> They installed a frame link from his location (New York) to there
> headquarters (Detroit).  
> Now they want to implements a secondary location (Houston) which has a
> internet connection and a frame connection
> back into the headquarters (Detroit).
> They want this secondary location (Houston) to be a backup incase his
> location (New York) fails for his remote sites.
> Someone within this new company mentioned that his current 
> Nokia/Check Point
> solution won't work with the  
> failover design because IPsec can't handle multicast 
> broadcast traffic (ex
> OSPF).
> They need to run OSPF for a failover design.  
> Their solution is to REMOVE all of his Nokia/Check Point and 
> implement a
> Cisco Router based VPN design.
> Cisco's 1750 for Remote sites and 7140 for each Hub. 
> Each router both remote site and hub will have Cisco's 
> firewall/IDS package
> and encryption module
> The Cisco's VPN tunnels are going to be using GRE 
> encapsulation for the
> OSPF. 
> Incase of a failover to the Secondary HUB and OSPF will 
> update the Frame
> network regarding the failover.
> IPsec 3DES for the data encryption.
> This new design is not going to be a MESH but a Hub and Spoke.
> His problem with this HUB and SPOKE design is this.
> 1).  He is afraid because this design relies on a 1 tier 
> security design.  
>      The Cisco's routers will be handling the VPN, Routing Protocols,
> Firewall, and IDS on each router.
>      His current design is 2 tier level.
>      Cisco for the Internet router and Nokia/Check Point for 
> VPN/Firewall
> 2).  He thinks his Voice over IP will fail between remote 
> sites because the
> MESH will be gone.
> 3).  The performance an the Cisco.  Would they be able to 
> handle the load?
>      Since they will be doing everything. (VPN, Routing, and IDS)
> Has anyone implemented this solution?
> AC
> -----Original Message-----
> From: Chris Arnold [mailto:chris.arnold at WheelHouse.com]
> Sent: Wednesday, October 24, 2001 10:12 PM
> To: 'Cardona, Alberto '; 
> 'FW-1-MAILINGLIST at beethoven.us.checkpoint.com '
> Subject: RE: [FW-1] VPN with OSPF
> That depends on what you mean by "running site to site IPsec 
> VPNs and using
> OSPF."  Do you mean tunneling OSPF through an IPSec tunnel 
> for some reason
> or using OSPF to route traffic to available VPN endpoints before going
> through a tunnel or on your edge routers once your VPN 
> traffic has been
> encapsulated?
> Chris
> -----Original Message-----
> From: Cardona, Alberto
> To: FW-1-MAILINGLIST at beethoven.us.checkpoint.com
> Sent: 10/24/01 4:16 PM
> Subject: [FW-1] VPN with OSPF
> Is anyone running site to site IPsec VPNs and using OSPF?
> If so did you have to implement GRE?
> Thanks
> AC
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================
> VPN is sponsored by SecurityFocus.com

VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list