topic Resilient VPN Data Center Solution in Firewall and Security Management https://community.checkpoint.com/t5/Firewall-and-Security-Management/Resilient-VPN-Data-Center-Solution/m-p/70166#M11835 <P>Hi everyone, I hope you're all well. This is not so much a question, but I'd be interested to know your thoughts on best practice for a request I've been asked to work on.<BR /><BR />Attached is a very crude network diagram (apologies!).</P><P>&nbsp;</P><P>We have two DC's - DCR and DCS. We have a customer called Mobile City. Currently there's an IPSec VPN tunnel between Checkpoint 5800 DCR and Cisco ASA Mobile City. A lot of O365 traffic passes through this tunnel so it's rather risky not having any resilience. Hence, my request.</P><P>&nbsp;</P><P>I've been asked to add a second tunnel between Checkpoint 5800 DCR and Cisco ASA Mobile City, then also two brand new tunnels between Checkpoint DCS and Mobile City. It's a fairly straightforward request but I just wanted to ask whether there are any best practices when it comes to this type of request.</P><P>&nbsp;</P><P>This is the configuration I've been provided with by Mobile City:</P><P>&nbsp;</P><UL><LI><SPAN>Mobile City public peer IP -&nbsp;</SPAN><SPAN>202.154.29.17</SPAN></LI><LI>DCR/DCS public peer IP -&nbsp;149.133.213.4</LI><LI>Mobile City LAN subnet – 172.28.5.0/24</LI><LI>DCR/DCS LAN subnets<UL><LI>- 10.101.0.0/16<BR />- 10.102.0.0/15<BR />- 10.104.0.0/16<BR />- 10.128.0.0/16<BR />- 10.129.0.0/16<BR />- 10.130.0.0/16<BR />- 10.131.0.0/16<BR />- 10.132.0.0/14<BR />- 10.20.0.0/16<BR />- 10.20.30.0/24<BR />- 10.32.0.0/13<BR />- 10.41.0.0/16<BR />- 10.42.0.0/16<BR />- 10.43.0.0/16<BR />- 10.86.0.0/15<BR />- 10.88.0.0/16<BR />- 10.97.0.0/16<BR />- 10.98.0.0/16<BR />- 172.21.0.0/16</LI></UL></LI><LI>Crypto settings to be confirmed but IKEV2 will be used along with AES-256, DH 14 and SHA-256</LI></UL><P>&nbsp;</P><P>I'm confident I can get the tunnels up, but just wanted clarity on any further configuration on the LAN side, i.e routing.</P><P>&nbsp;</P><P>What would be the best way of routing the interesting traffic, considering Mobile City has a single /24 network whereas there are a number of larger DC subnets?</P><P>&nbsp;</P><P>Also, would it be wise to enable ISP redundancy for this type of solution.</P><P>&nbsp;</P><P>Hope you can help <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>Many thanks in advance.</P><P>B</P> Wed, 11 Dec 2019 19:34:24 GMT ziggurat 2019-12-11T19:34:24Z Resilient VPN Data Center Solution https://community.checkpoint.com/t5/Firewall-and-Security-Management/Resilient-VPN-Data-Center-Solution/m-p/70166#M11835 <P>Hi everyone, I hope you're all well. This is not so much a question, but I'd be interested to know your thoughts on best practice for a request I've been asked to work on.<BR /><BR />Attached is a very crude network diagram (apologies!).</P><P>&nbsp;</P><P>We have two DC's - DCR and DCS. We have a customer called Mobile City. Currently there's an IPSec VPN tunnel between Checkpoint 5800 DCR and Cisco ASA Mobile City. A lot of O365 traffic passes through this tunnel so it's rather risky not having any resilience. Hence, my request.</P><P>&nbsp;</P><P>I've been asked to add a second tunnel between Checkpoint 5800 DCR and Cisco ASA Mobile City, then also two brand new tunnels between Checkpoint DCS and Mobile City. It's a fairly straightforward request but I just wanted to ask whether there are any best practices when it comes to this type of request.</P><P>&nbsp;</P><P>This is the configuration I've been provided with by Mobile City:</P><P>&nbsp;</P><UL><LI><SPAN>Mobile City public peer IP -&nbsp;</SPAN><SPAN>202.154.29.17</SPAN></LI><LI>DCR/DCS public peer IP -&nbsp;149.133.213.4</LI><LI>Mobile City LAN subnet – 172.28.5.0/24</LI><LI>DCR/DCS LAN subnets<UL><LI>- 10.101.0.0/16<BR />- 10.102.0.0/15<BR />- 10.104.0.0/16<BR />- 10.128.0.0/16<BR />- 10.129.0.0/16<BR />- 10.130.0.0/16<BR />- 10.131.0.0/16<BR />- 10.132.0.0/14<BR />- 10.20.0.0/16<BR />- 10.20.30.0/24<BR />- 10.32.0.0/13<BR />- 10.41.0.0/16<BR />- 10.42.0.0/16<BR />- 10.43.0.0/16<BR />- 10.86.0.0/15<BR />- 10.88.0.0/16<BR />- 10.97.0.0/16<BR />- 10.98.0.0/16<BR />- 172.21.0.0/16</LI></UL></LI><LI>Crypto settings to be confirmed but IKEV2 will be used along with AES-256, DH 14 and SHA-256</LI></UL><P>&nbsp;</P><P>I'm confident I can get the tunnels up, but just wanted clarity on any further configuration on the LAN side, i.e routing.</P><P>&nbsp;</P><P>What would be the best way of routing the interesting traffic, considering Mobile City has a single /24 network whereas there are a number of larger DC subnets?</P><P>&nbsp;</P><P>Also, would it be wise to enable ISP redundancy for this type of solution.</P><P>&nbsp;</P><P>Hope you can help <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>Many thanks in advance.</P><P>B</P> Wed, 11 Dec 2019 19:34:24 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Resilient-VPN-Data-Center-Solution/m-p/70166#M11835 ziggurat 2019-12-11T19:34:24Z