This is TikiWiki v1.9.9 -Sirius- © 2002–2007 by the Tiki community Sun 05 of Sep, 2010 [23:44 UTC]
Menu [hide]
Home
Categories
Toggle Wiki
Wiki Home
Last Changes
Rankings
List pages
Orphan pages
Sandbox
Toggle Image Galleries
Galleries
Rankings
Rankings
Toggle File Galleries
List galleries
Tikiwiki Assistant
Thank you for installing Tikiwiki!
Click the :: options in the Menu for more options. Please, also see TikiMovies for more setup details.

Overview

print
Previous page Parent page Next page TOC
TOC  >  Overview

Overview


The goal of this project is to connect dozens of inexpensive wireless routers such as the Linksys WRT54GL to two or more Check Point VPN gateways. A number of special requirements must also be met to support VoIP.

The Linksys WRT54GL is one of many routers capable of running OpenWRT. OpenWRT is a Linux distribution for embedded devices. The term SOHO VPN Router will be used to refer to an inexpensive router running OpenWRT.

Special Challenges include:

  • Supporting DHCP Assigned IP Addresses on the SOHO VPN Router WAN ports.

    • Requires the use of a Dynamic DNS client on the SOHO VPN Routers.
    • Requires the use of the Interoperable Device objects in Check Point
      • Requires Dynamic Addresses
      • Requires the use of certificates to authenticate VPN tunnels. This documentation shows how to use the Check Point Internal Certificate Authority (ICA) to create certificates that can be used with the SOHO VPN Routers. Check Point identifies certificates based on Distinguished Name (DN) in the matching criteria box. Check Point uses FQDN for link selection.

  • Reduce latency by creating a full-mesh network.

    • A hub and spoke VPN community is created in Check Point.
    • Although the Check Point VPN Community is Hub and Spoke, the individual routers have spoke to spoke connections to create a full-mesh network. Shell scripts are used to create and maintain the spoke to spoke tunnels.

  • Support QoS on the SOHO VPN Routers

    • Remote users need to be able to save large Excel spreadsheets to a file server at the corporate office while speaking with clients on a VoIP phone. This presents a special challenge since it is normally not possible to separate traffic classes within an IPSec tunnel. The QoS engine can either be linked to the ipsec0 interface or the br0 interface. Running two instances of QoS will not produce the desired results.

    • Q: How do you get QoS to work on multiple interfaces when only one is allowed? A: Add a second router (What do you want for $50?) and run the IPSec tunnels on router #1 and QoS on router #2.

Created by: kpalmer last modification: Monday 07 of May, 2007 [22:01:55 UTC] by kpalmer

source
history
similar
discuss
Powered by Tikiwiki Powered by PHP Powered by Smarty Powered by ADOdb Made with CSS Powered by RDF powered by The PHP Layers Menu System
RSS Wiki RSS Image Galleries RSS File Galleries RSS Forums
[ Execution time: 0.25 secs ]   [ Memory usage: 7.71MB ]   [ GZIP Disabled ]   [ Server load: 0.00 ]