topic Re: Third party IPSEC VPN with 2 peers in Firewall and Security Management

Third party IPSEC VPN with 2 peers

hugothebas — Tue, 06 Apr 2021 20:18:31 GMT

Hello all, sorry if this is already answered before, I've searched here and couldn't find anything related.

We have a customer that we need to establish an "HA" IPSEC VPN, they have 2 remote peer addresses, let's name them site A and site B, both using Cisco ASA, being site A the peferable one, if it becomes unavailable, we would still have VPN established with site B.

I have a local R80.40 GW. I know I can set a VPN community and add both interoperable devices to it, but how can I be sure that the traffic would only go to site B if site A is unavailable?

I also know that I could create 2 vpn communities, but if I do that I think I would have problem with the encryption domain because they would be the same, right?

What would be the best way to achieve this setup?

Thanks!

Re: Third party IPSEC VPN with 2 peers

Bob_Zimmerman — Tue, 06 Apr 2021 20:35:53 GMT

I think the simplest and most predictable way to control this would be a route-based VPN with dynamic routing. Route-based VPNs involve setting up a virtual interface (called a VTI) on your firewall which acts like a really long Ethernet cable going to the remote VPN endpoint. Since it's an interface, you can do most of the normal interface things like running OSPF or BGP on it. Once you have dynamic routing set up, the other side can control which path you prefer by tweaking router IDs, OSPF link cost, or any number of other properties.

Re: Third party IPSEC VPN with 2 peers

genisis__ — Sat, 10 Apr 2021 14:17:19 GMT

I agree, but it would also be nice if Checkpoint accounted for scenario in the community ie. maybe by a priority list or recognise a back device in the community.