topic Re: S2S VPN primary and backup (DR) location in Firewall and Security Management

S2S VPN primary and backup (DR) location

babicmilan — Fri, 24 Feb 2023 10:43:02 GMT

Hello, I need to accomplish this scenario (attached picture). I need to setup S2S VPN tunnels on CheckPoint ClusterXL towards Site 1 (primary location) and Site 2 (backup DR location). Idea is, when primary location falls down, everything works over backup DR location without interrupt.

How can I do that?

Additional questions:

Is it possible to have Policy Based VPN toward Site 1 and Route Based VPN toward Site 2?
If 1. is not possible which one is better to use Policy Based or Route Based VPN on Site 1 and Site 2
Can I use MEP (Multiple Entry Point) in this scenario?

Best regards,

Milan Babic

Re: S2S VPN primary and backup (DR) location

G_W_Albrecht — Fri, 24 Feb 2023 11:02:53 GMT

1. Is it possible to have Policy Based VPN toward Site 1 and Route Based VPN toward Site 2?

Why that demand, and why will community based VPN not work for you ? As seen in sk100500: Policy-Based Routing (PBR) on Gaia OS and sk167135: Policy-Based Routing and Application-Based Routing in Gaia, this is used for other reasons, not VPN. What is possible is to use both community and route based VPN: sk109340: Mixing Route Based VPN with Domain Based VPN on the same Security Gateway

2. If 1. is not possible which one is better to use Policy Based or Route Based VPN on Site 1 and Site 2

Community based routing is the standard deployment for most circumstances; also see 1.

3. Can I use MEP (Multiple Entry Point)

MEP is for RA VPN only, so it is unclear what this question for S2S VPN means ?

Re: S2S VPN primary and backup (DR) location

babicmilan — Fri, 24 Feb 2023 11:16:53 GMT

Hello.

Let's clarify, when I say "Policy Based VPN" I think on "Domain Based VPN".

I have attached Site to Site VPN R81.10 Administration Guide where MEP is explained.

1) S2S VPN tunnel between HQ and Site 1 is operational (Domain Based VPN), tunnel between HQ and Site 2 I need to configure.

Re: S2S VPN primary and backup (DR) location

Machine_Head — Fri, 24 Feb 2023 16:12:25 GMT

Check:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk164355

Re: S2S VPN primary and backup (DR) location

the_rock — Fri, 24 Feb 2023 19:40:12 GMT

I second what @Machine_Head gave you. Had customer do this couple of years back and it worked flawlessly.

Andy

Re: S2S VPN primary and backup (DR) location

the_rock — Fri, 24 Feb 2023 19:45:11 GMT

Also, to add, IF you have ISP redundancy, just know that any new VPN connections would NOT survive isp failure link. Something to keep in mind, if you do have that configured.

Re: S2S VPN primary and backup (DR) location

G_W_Albrecht — Sat, 25 Feb 2023 11:18:02 GMT

As i wrote: What is possible is to use both community and route based VPN: sk109340: Mixing Route Based VPN with Domain Based VPN on the same Security Gateway

Re: S2S VPN primary and backup (DR) location

G_W_Albrecht — Sat, 25 Feb 2023 11:20:03 GMT

No need to post the VPN Admin Guide, i have it ! Never saw MEP in use, though...

Re: S2S VPN primary and backup (DR) location

babicmilan — Mon, 27 Feb 2023 11:33:35 GMT

OK, that means it is not possible to mix Route Based VPN and Domain Based VPN toward same destination because Domain Based VPN will always take precedence? Is there a way to change this behavior by some policy order?

Re: S2S VPN primary and backup (DR) location

the_rock — Mon, 27 Feb 2023 12:30:50 GMT

As far as Im aware, no and no. Sorry, I meant YES, domain based will take presedence and NO, you cant change the bahavior by policy order.

Re: S2S VPN primary and backup (DR) location

babicmilan — Wed, 01 Mar 2023 12:26:47 GMT

Another questions:

In my topology if I use MEP star community HQ (CheckPoint ClusterXL) would be Satellite Gateway, Site1 and Site2 would be Center Gateways? How to configure "VPN Routing" in this star community? VPN tunnel must be initiated from HQ towards Site1 and Site2
Can I use Route Based VPN with MEP or it must be Community Based VPN?

Re: S2S VPN primary and backup (DR) location

Machine_Head — Wed, 01 Mar 2023 12:33:16 GMT

-Yes

-To center only should be fine.

- It doesn't matter from where the traffic is initiated.

-As i understand it, MEP is to be used with Domain Based VPN. Potentially if you use routing there is no need for MEP as the routing decision comes from the routing protocol.

Juan

Re: S2S VPN primary and backup (DR) location

G_W_Albrecht — Wed, 01 Mar 2023 12:49:17 GMT

It is possible as source AND destination must match Domains, see sk109340 !

Re: S2S VPN primary and backup (DR) location

the_rock — Wed, 01 Mar 2023 12:57:00 GMT

Second what @Machine_Head told you.

Re: S2S VPN primary and backup (DR) location

G_W_Albrecht — Wed, 01 Mar 2023 12:58:18 GMT

MEP is enabled in VPN Community, but not implicit MEP - see https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SitetoSiteVPN_AdminGuide/Content/Topics-VPNSG/MEP.htm

Re: S2S VPN primary and backup (DR) location

babicmilan — Thu, 16 Mar 2023 17:56:57 GMT

Hello, I have created VPN star topology, "CP-ZZZRS" as satellite gateway, "VPN_PURS_GW" and "VPN_PURS_DR_GW" as center gateways. I have MEP enabled. I want to achieve that S2S tunnel between gateways "CP-ZZZRS" and "VPN_PURS_GW" has higher priority.

I'm not sure that I have configure it correctly, I want to be sure. (atached picture).

Please look at default priority rules, exception priority rules, for "Advanced" I have choose "First to respond".

Best regards,

Milan Babic

Re: S2S VPN primary and backup (DR) location

the_rock — Thu, 16 Mar 2023 18:09:18 GMT

I remember few years ago customer had it set exactly the same way and worked fine. Seems totally logical to me.

Andy