topic HA S2S VPN with two providers in Firewall and Security Management

HA S2S VPN with two providers

Andrey_Gl — Tue, 04 Apr 2023 22:45:46 GMT

Hello!

Can you tell me if it's possible to implement such a scheme, for example: we have 10 VPN S2S tunnels, in link selection, I choose "calculate IP based on network topology" and in this case, our VPN will be built from the interface with the best route. My question is: can I set up routing in such a way that 5 tunnels go through one provider and 5 through another, and specify monitored IPs in these routes? Am I correct in understanding that in case of unavailability of the monitored IPs (the provider is down), the route will change to the other provider and the VPN will be rebuilt on the working one? The task is to manually build VPNs from the required interfaces, but also to ensure fault tolerance in case of problems with the provider.

Re: HA S2S VPN with two providers

PhoneBoy — Sat, 08 Apr 2023 02:04:43 GMT

How are you proposing to configure the routing, dynamic or static?
In any case, this seems feasible, but it would depend on the other side to be configured properly.

Re: HA S2S VPN with two providers

the_rock — Sat, 08 Apr 2023 17:02:12 GMT

Definitely phoneboy makes sense here, it would certianly depend on the other side. You could potentially use below, but not 100% sure it may achieve exactly what you are asking.

Just as a side not, some people wrongly believe that link selection tab (top section) refers to what CP fw proposes, but thats WRONG. That refers to what other side will see and bottom section is what CP will send.

Andy

Use probing. Redundancy mode: - When more than one IP address is available on a Security Gateway for VPN, Link Selection may employ the RDP probing method to determine which link will be used.The RDP probing method is implemented using a proprietary protocol that uses UDP port 259. This protocol is proprietary to Check Point and works only between Check Point entities. (Note that it does not comply with RDP as specified in RFC 908/1151). IP addresses you do not want to be examined (i.e., internal IP addresses) may be removed from the list of IP's to be examined. Once a Security Gateway maps the links' availability, a link selection per connection can be made according to the following redundancy modes:
- High Availability (default setting) - In High Availability mode the VPN tunnel uses the first IP address to respond, or the primary IP address if a primary IP is configured and active. If the chosen IP address stops responding, the connection fails over to another responding IP address. If a primary IP address is configured, the VPN tunnel will stay on the backup IP address until the primary one becomes available again.
- Load Sharing - In Load Sharing mode the encrypted traffic is distributed among all available links. Every new connection ready for encryption uses the next available link in a round robin manner. When a link becomes unavailable, all of its connections are distributed among the other available links. A link's availability is determined using RDP probing.