https://community.checkpoint.com/t5/Firewall-and-Security-Management/ClusterXL-VTI-with-interface-bond-and-VLAN/m-p/152698#M25468 <P>Yep, that's exactly what happened, both in WebUI and CLISH. &nbsp;Is there a particular reason why the virtual layer 3 interfaces (either straight portchannel or VLAN interfaces) are unusable for unnumbered VTI? &nbsp;There's no clear documentation on the options or explanations, so it is somewhat jarring when starting the configuration.</P> <P>&nbsp;</P> <P>Admittedly, when I did the first PoC lab, my test gateway was using direct ethernet interfaces with no VLAN configuration. &nbsp;I didn't expect the functionality or configuration to be very different when repeating the configuration on the production gateway. &nbsp;I know, this wasn't a "like-kind exchange" between PoC and production, and indeed my fault, so this is an additional #LessonLearned. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp;</P> <P>Thanks!</P> Mon, 11 Jul 2022 14:09:41 GMT Duane_Toler 2022-07-11T14:09:41Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ClusterXL-VTI-with-interface-bond-and-VLAN/m-p/152619#M25434 <P>All physical interfaces are configured to be part of various bonding groups (I have three of these: bond0, bond1, and bond2; each has 2 physical interfaces).</P> <P>Two of these are configured with VLANs (bond0.10, bond0.20, bond1.30, bond1.40).</P> <P>I try to add an unnumbered VTI, it fails:</P> <P>&nbsp;</P> <LI-CODE lang="javascript">gw1&gt; add vpn tunnel 4 type unnumbered peer FOO-GW dev bond0.10 VpntErr0001 There is no interface bond0.10 </LI-CODE> <P>&nbsp;</P> <P>R80.40 HFA 139, also tested on HFA 158</P> <P>&nbsp;</P> <P>Does this seem more like a feature-limitation than a bug? &nbsp;I'm guessing it's a TAC call either way...?</P> <P>&nbsp;</P> <P>&nbsp;</P> Sat, 09 Jul 2022 20:45:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ClusterXL-VTI-with-interface-bond-and-VLAN/m-p/152619#M25434 Duane_Toler 2022-07-09T20:45:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ClusterXL-VTI-with-interface-bond-and-VLAN/m-p/152620#M25435 <P>Okie dokie.. so I used a loopback instead:</P> <P>&nbsp;</P> <P>gw1:</P> <P>add interface lo loopback 169.254.1.1/32&nbsp;</P> <P>add vpn tunnel 1 type unnumbered peer FOO-gw dev loop00</P> <P>set static-route 192.168.100.0/24&nbsp;<SPAN>nexthop gateway&nbsp;</SPAN>logical vpnt1 on</P> <P>&nbsp;</P> <P>gw2:</P> <P>add interface lo loopback 169.254.1.2/32&nbsp;</P> <P>add vpn tunnel 1 type unnumbered peer FOO-gw dev loop00</P> <P>set static-route 192.168.100.0/24&nbsp;<SPAN>nexthop gateway&nbsp;</SPAN>logical vpnt1 on</P> <P>&nbsp;</P> <P>In SmartConsole:</P> <P>Edit cluster object - Network Management - Get Interfaces -&gt; "Get Interfaces WITHOUT topology" (my emphasis)</P> <P>The physical IP of vpnt1 on each cluster member was the Gaia config (as expected). &nbsp;I configured the VIP of "vpnt1" to be the same IP as the same IP of the physical egress interface (eth0, in this case; for my customer this was a bond0.X VLAN).</P> <P>&nbsp;</P> <P>This actually works... &nbsp;wow. &nbsp;I'm a bit surprised. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> &nbsp;I ran a VPN debug to see what was going on, and ... nothing much, actually. &nbsp;It looked just about the same as any typical IKEv2 VPN would. &nbsp;The traffic selectors did their thing as you'd expect. &nbsp;VPN came up, and I tested clusterXL_admin down/up on each of the cluster members while passing traffic. &nbsp;Nothing unusual.</P> <P>&nbsp;</P> <P>R80.40 HFA 139 for my customer, but HFA 158 for my lab VMs.</P> <P>&nbsp;</P> Sun, 10 Jul 2022 01:05:49 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ClusterXL-VTI-with-interface-bond-and-VLAN/m-p/152620#M25435 Duane_Toler 2022-07-10T01:05:49Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ClusterXL-VTI-with-interface-bond-and-VLAN/m-p/152621#M25436 <P>I'm fairly certain in the Web UI we label the parameter as "Physical Device" and limit the drop down accordingly but also allow Loopbacks as you've discovered. Glad its working for you now.</P> Sun, 10 Jul 2022 02:23:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ClusterXL-VTI-with-interface-bond-and-VLAN/m-p/152621#M25436 Chris_Atkinson 2022-07-10T02:23:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ClusterXL-VTI-with-interface-bond-and-VLAN/m-p/152698#M25468 <P>Yep, that's exactly what happened, both in WebUI and CLISH. &nbsp;Is there a particular reason why the virtual layer 3 interfaces (either straight portchannel or VLAN interfaces) are unusable for unnumbered VTI? &nbsp;There's no clear documentation on the options or explanations, so it is somewhat jarring when starting the configuration.</P> <P>&nbsp;</P> <P>Admittedly, when I did the first PoC lab, my test gateway was using direct ethernet interfaces with no VLAN configuration. &nbsp;I didn't expect the functionality or configuration to be very different when repeating the configuration on the production gateway. &nbsp;I know, this wasn't a "like-kind exchange" between PoC and production, and indeed my fault, so this is an additional #LessonLearned. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp;</P> <P>Thanks!</P> Mon, 11 Jul 2022 14:09:41 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ClusterXL-VTI-with-interface-bond-and-VLAN/m-p/152698#M25468 Duane_Toler 2022-07-11T14:09:41Z