topic Re: VPN link selection question in Firewall and Security Management

VPN link selection question

the_rock — Thu, 02 Mar 2023 19:12:33 GMT

Hey guys,

I honestly was not even going to post this, but had to, just for my own sanity : - ). Though Im 99.99% sure this is NOT possible, but since customer asked me, figured would pick ya'll brains. So, here is their question...is there ANY way to configure CP firewall (either via link selection or any other way) to use say external IP for specific VPN tunnels and then use a different IP for other tunnels?

Cheers.

Re: VPN link selection question

Wolfgang — Thu, 02 Mar 2023 20:14:21 GMT

In the past this was possible via entry in user.def see Controlling which IP address VPN traffic passes through But I think ther‘s no support for this in the newer releases.

With link selection you can achieve this if the remote VPN gateways are available via different interface. You can route tunnel A via interface A and tunnel B via interface B, it depends on routing configuration. Source IP will be the interface IP of the outgoing interface. How to create VPN tunnels to a 3rd party peer using a specific ISP

Re: VPN link selection question

the_rock — Thu, 02 Mar 2023 20:17:41 GMT

Thanks @Wolfgang ! Never seen that sk before, but good to know, though I believe you are right, probably not supported in new versions. For your 2nd point, customer has only 1 external interface, so not sure that might be feasible. What about below setting, would this work possibly?

Thoughts?

Re: VPN link selection question

Wolfgang — Thu, 02 Mar 2023 20:30:01 GMT

@the_rock the shown settings are for the IP addresses they will be probed from the remote gateway to the local gateway (see description in the top) Additional you have to configure the IP address of the outgoing packets, second part of your shown screen. But I think your need does not work if all tunnel packets are going through the same interface.

Re: VPN link selection question

the_rock — Thu, 02 Mar 2023 20:54:20 GMT

Thanks mate, I think what you gave is the closest to what they need, so I greatly appreciate it 🙌🙌

Re: VPN link selection question

PhoneBoy — Thu, 02 Mar 2023 21:29:37 GMT

You can configure Remote Access and Site-to-Site VPN tunnels with a different "Link Selection" IP.
However, you cannot configure "per peer" Link Selection, which is what it sounds like your customer wants.
Though sk31102 does seem like it would support that (if it works on current versions).

FYI, in R82, I believe we are overhauling the whole "Link Selection" mechanism.

Re: VPN link selection question

the_rock — Thu, 02 Mar 2023 22:49:10 GMT

Fair enough, thank you. Its weird how this client has route based tunnels configured (never seen that in 15 years with CP), so makes it a bit tricky to do all this, but you guys gave me excellent choice, so I will give this to them, probably tomorrow or some time next week. They understand the situation, so really this is the best they can get, whether they like it or not 😊

Thanks a lot as always @PhoneBoy and @Wolfgang !

Re: VPN link selection question

the_rock — Fri, 03 Mar 2023 00:22:13 GMT

Hey @PhoneBoy ...I assume you were referring to visitor mode setting for remote access where it lets you select the interface?

Re: VPN link selection question

PhoneBoy — Fri, 03 Mar 2023 00:28:47 GMT

No, I'm referring to: https://support.checkpoint.com/results/sk/sk32229

Re: VPN link selection question

the_rock — Fri, 03 Mar 2023 00:52:07 GMT

Ah, right...I remember seeing this sk couple of years ago.