VPN3k & Checkpoint FW "cluster"

Discussion in 'Cisco' started by Bill Thompson, Jul 11, 2004.

  1. Hello All,

    Does anyone have experience with LAN-to-LAN connections bettween a VPN3005
    and a "cluster" of Checkpoint FWs?

    One of my trading parters has changed their Checkpoint gateway into what
    he calls a cluster. He is not running VRRP, but some type of load sharing
    configuration. What this means to the VPN3k is that it is connecting to
    address a.a.a.a and receiving responses from address a.a.a.b. As you can
    imagine, the VPN3k is ignoring the secondary address since the tunnel was
    not established to that address. I have looked at setting up multiple
    gateways on the VPN3k, but that can only be done with a one-way connection
    and this needs to be bi-directional.

    I was hoping to get some opinions on this "cluster" idea he is
    using. To my mind a VPN gateway that receives at one address and responds
    on another is broken, but the partner insists that this is done with
    Checkpoint devices all of time. Opinions and/or suggestions would be
    Bill Thompson, Jul 11, 2004
