Chapter 5. Implementing High Availability with VPNs 309
5.2 Test network design
As mentioned earlier in this book, the new version of VPN-1/Firewall-1 has
the ability to synchronize the state tables between two or more Firewall
modules. The state synchronization allows for the preservation of active TCP
sessions at the point of a failover. This also allows for the preservation of
active VPN sessions between a SecuRemote client and the VPN-1/Firewall-1
module. The installation and basic configuration of AIX 4.3.3,
VPN-1/Firewall-1, and HACMP is the same as that described in earlier
chapters. This section will document the changes to the configurations.
5.2.1 Test network topology
Figure 115 on page 310 shows the network plan for our VPN-1/Firewall-1 and
HACMP testing. As before, our test environment consists of two RS/6000
machines (called cpfw1 and cpfw2). There are four networks attached to the
firewalls:
• fw_ext, which represents the “non-secure” or external network. This could
be the Internet, for example.
• fw_dmz, which is a demilitarized zone (DMZ) for publicly accessible Web
and FTP servers.
• fw_man, which is a firewall management LAN that connects just the two
firewalls. In our scenario, we used a single RJ45 crossover cable attached
to the on-board ethernet adapters of the two firewalls.
• fw_int, which represents the internal network, for example, a company’s
intranet.
310 Check Point VPN-1/FireWall-1 on AIX: A Cookbook for Stand-Alone and High Availability Solutions
Figure 115. Network Topology for VPN-1y
The addressing above shows only the actual addresses of all the hosts. The
HACMP cluster addresses are .3 on each of the LANs, excluding the
Management LAN. It was decided that the Management LAN should not have
any cluster addressing, as this might complicate the state table and ntp
synchronization. Table 11 shows the HACMP topology used in this setup.
Table 11. HACMP Topology for firewall adapters
Adapter
IP Label
Network
Type
Network
Name
Network
Attribute
Adapter
Function
Node
Name
fw1_ext_boot ether ext_net public boot cpfw1
fw1_dmz_boot ether dmz_net public boot cpfw1
fw1_int_boot ether int_net public boot cpfw1
fw2_ext_boot ether ext_net public boot cpfw2
fw2_dmz_boot ether dmz_net public boot cpfw2
fw2_int_boot ether int_net public boot cpfw2
fw_ext ether ext_net public service
fw_dmz ether dmz_net public service
fw_int ether int_net public service
web
cpfw1
.....253
fw_dmz 10.7.0.0/24
.1
internetpc
fw_ext 192.167.1.0/24
.1
gui
fw_int 192.167.2.0/24
.154
en0 en1
en3en2
cpfw2
.....254
en0 en1
en3en2
fw_man 10.8.0.0/24
Chapter 5. Implementing High Availability with VPNs 311
The following are the entries in /etchosts and /.rhosts:
/etc/hosts:
192.167.2.3 fw_int
192.167.2.253 fw1_int_boot cpfw1
192.167.2.254 fw2_int_boot cpfw2
192.167.1.3 fw_ext
192.167.1.253 fw1_ext_boot cpfw1
192.167.1.254 fw2_ext_boot cpfw2
10.7.0.3 fw_dmz
10.7.0.253 fw1_dmz_boot cpfw1
10.7.0.254 fw2_dmz_boot cpfw2
10.7.0.1 www
192.167.2.1 fwtest
10.8.0.254 cpfw2_man
10.8.0.253 cpfw1_man
/.rhosts
fw_int root
fw1_int_boot root
fw2_int_boot root
fw_ext root
fw1_ext_boot root
fw2_ext_boot root
fw_dmz root
fw1_dmz_boot root
fw2_dmz_boot root
cpfw1 root
cpfw2 root
cpfw1_adm root
cpfw2_adm root
Get Check Point VPN-1 / FireWall-1 on AIX: A Cookbook for Stand-Alone and High Availability Solutions now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
