SPLAT with ospf and VPN

[rn4it]

Here's the situation, we have an office that has a private circuit to a main branch. If this link fails, we then manually enable the VPN to the main branch modify a couple static routes and they're up. We would like to automate this. Here's my question, If at the branch office we swap out their VPN edge device and replace it with a SPLAT device running OSPF. Configure OSPF to route the traffic via the private link will this work? or will the VPN over ride the OSPF? I'm thinking the packet will be encrypted b4 it gets routed to the private link.

thanks

 

[wirelesspeap]

Hi There,

What you are trying to do is perfectly achievable.
That being said, I think you need NGx to do that.

What you are trying to do is "according to cisco"
OSPF via GRE and tunnel everything via IPSec. I know how
to do that with Cisco but I don't know how do that with
Checkpoint. With NGx, there is a feature call Virtual
Tunel Interface VTI that can do the same thing as Cisco
but I have not tried it so I don't know how reliable it
is.

On the other hand, it can be done if both the main office
and the branch both use Nokia. you can use GRE on Nokia
and tunnel OSPF through it, and encrypt everything with
IPSec.

Good luck!

wirelesspeap
CCSE-NG, CCIE Security

 

[rn4it]

Hi Wireless, I'm not sure if I understand you correctly or vice versa.

The Splat device will be running OSPF, the primary link will be the private connection unencrypted. If this link goes down, then OSPF would reroute the traffic via the VPN connection. This is what I'm wondering is possible?

I know CP is capable of doing VPN routing, but I'm not sure how practicle that will be in this case. We need to review what the main branch would have to do to support us doing VPN routing. This branch office, connects to the main branch for some applications, but is not fully supported by them. It's a little weird, because they are more sister companies then 1 company, so lines of support are very grey.
thanks