topic Re: Site to site VPN using backup ISP for one site in Firewall and Security Management

Site to site VPN using backup ISP for one site

Luke_Abrams — Mon, 17 Oct 2022 15:14:29 GMT

Hello we have 4 sites total, 3 remote sites that connect back to our primary site via site to site vpn tunnels. All sites are checkpoint. One of our sites has a hop that is dropping/losing/whatever with packets and this is causing major slowness. Our primary ISP isn't being helpful since it isn't on their network. During our testing we found that if we use our backup ISP, it will use a different path and the slowness is gone.

So all of that to ask is it possible to route 1 site to site vpn over the backup ISP while leaving the others routed over the primary ISP?

Re: Site to site VPN using backup ISP for one site

PhoneBoy — Mon, 17 Oct 2022 18:46:08 GMT

Yes, you will need to adjust the Link Selection setting to make decision based on the routing table.
Refer to: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SitetoSiteVPN_AdminGuide/Topics-VPNSG/Link-Selection.htm?tocpath=Link%20Selection%7C_____0#Link_Selection

Re: Site to site VPN using backup ISP for one site

Luke_Abrams — Tue, 18 Oct 2022 19:01:55 GMT

I am looking through the article you provided, my scenario from the way I see it would be similar to "Security Gateway with Several IP Addresses Used by Different Parties" There doesn't seem to be much direction on that one though. All sites have static addresses. I only want the one site to run on the alternate ISP. So I would need to add some routing on the local gateways to accomplish this? I am not sure if it make a difference or not but the remote site is running SMB's 1600 series.

Re: Site to site VPN using backup ISP for one site

PhoneBoy — Tue, 18 Oct 2022 19:14:32 GMT

Yes, you would route all traffic for that particular site through the other ISP using static routes.
This will cause Link Selection to use the appropriate interface IP when doing a Site to Site VPN on that interface.

Re: Site to site VPN using backup ISP for one site

Luke_Abrams — Tue, 18 Oct 2022 19:28:09 GMT

Would those static routes be on the remote site pointing back at the main site or at the main site pointing at the remote site? Or would it be on both?

Re: Site to site VPN using backup ISP for one site

PhoneBoy — Tue, 18 Oct 2022 19:38:49 GMT

The routes would be on the gateway where Link Selection is configured.
If the remote site has multiple ISPs also, you might want routes configured there as well to ensure symmetry.

Re: Site to site VPN using backup ISP for one site

Luke_Abrams — Tue, 18 Oct 2022 20:11:55 GMT

I guess I am missing something sorry - So often pictures are worth a 1000 words so I will include some pics below. First is the the link selection configuration from the Primary site - 71 is the normal ISP link 122 is the one I want this connection only to go out of.

The second picture is of the static routes configured for this. The 91-93 are the external addresses of the remote cluster, Eth3 is the external interface of the alternate ISP I want this remote site to connect on.

However my tunnel still is connecting on the 71 ISP even after resetting it multiple times.

Re: Site to site VPN using backup ISP for one site

PhoneBoy — Tue, 18 Oct 2022 22:26:56 GMT

You're using an interface route when you should be using an IP-based nexthop (specifically to the default route for ISP2).
Also, what is the Source IP address setting say?

Re: Site to site VPN using backup ISP for one site

Luke_Abrams — Wed, 19 Oct 2022 13:24:34 GMT

So it should work like this? It looks like it is still using the gateway of .65 even after tunnel resets.

Re: Site to site VPN using backup ISP for one site

PhoneBoy — Wed, 19 Oct 2022 13:25:10 GMT

Yes like that.
And, unless a reboot solves it, I recommend a TAC case for further troubleshooting.

Re: Site to site VPN using backup ISP for one site

Luke_Abrams — Wed, 19 Oct 2022 13:28:53 GMT

Ok, I am running installs of the latest Check_Point_R81_10_JUMBO_HF_MAIN_Bundle_T78 right now on the clusters so that restarts during the install. I will see if that resolves it. If not we can get a case rolling.

Re: Site to site VPN using backup ISP for one site

Luke_Abrams — Wed, 19 Oct 2022 15:37:48 GMT

Our SMB at the remote site is managed by the same manager as the main site and the main site IP has its external set as its main IP. Does this change anything on what we need to configure?

Re: Site to site VPN using backup ISP for one site

PhoneBoy — Wed, 19 Oct 2022 15:52:33 GMT

You shouldn't need to.
That said, I highly recommend having TAC review your configuration.