https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-S2S-2-ISPs-AWS/m-p/194726#M36262 <P>We had a client who wanted similar thing and we did end up using BGP, though this was Azure, but literally the same concept.</P> Tue, 10 Oct 2023 20:55:42 GMT the_rock 2023-10-10T20:55:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-S2S-2-ISPs-AWS/m-p/194336#M36153 <P>Hello,</P><P>We have a cluster on R81.10, in which we have two links/ISP from different suppliers. We would like to enable redundancy for a VPN with AWS.<BR />EX:<BR />ISP 1<BR />ISP2</P><P>In other words, having 2 active tunnels, when the ISP1 tunnel fails, the ISP2 tunnel is activated.</P><P>As we know that S2S VPNs with AWS are route based, we have already ruled out using link selection.</P><P>In a first conversation with AWS, they informed us that it will have to be done via BGP.</P><P><BR />Has anyone already implemented this configuration?</P> Thu, 05 Oct 2023 18:38:15 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-S2S-2-ISPs-AWS/m-p/194336#M36153 IMCristian_Rosa 2023-10-05T18:38:15Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-S2S-2-ISPs-AWS/m-p/194483#M36188 <P>Why not use MEP? It applies if you have more than 1 center gateway, unless you are strictly referring to ISP redundancy?</P> <P>Andy</P> <P><A href="https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/Topics-VPNSG/MEP.htm" target="_blank">https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/Topics-VPNSG/MEP.htm</A></P> Sun, 08 Oct 2023 21:57:48 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-S2S-2-ISPs-AWS/m-p/194483#M36188 the_rock 2023-10-08T21:57:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-S2S-2-ISPs-AWS/m-p/194487#M36189 <P>Hello, The_Rock,<BR /><BR />Tks for feedback.<BR /><BR />What I need is ISP redundancy to have redundancy between two tunnels.<BR /><BR /><BR />Tks<BR /><BR />Cristian Rosa<BR /><BR /><BR /></P> Mon, 09 Oct 2023 00:51:12 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-S2S-2-ISPs-AWS/m-p/194487#M36189 IMCristian_Rosa 2023-10-09T00:51:12Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-S2S-2-ISPs-AWS/m-p/194488#M36190 <P>Hey mate,</P> <P>Not so sure thats possible, because if you think about it logically, how would the AWS side ever know that there was ISP like change and would be aware of new external IP?</P> <P>Andy</P> Mon, 09 Oct 2023 01:44:58 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-S2S-2-ISPs-AWS/m-p/194488#M36190 the_rock 2023-10-09T01:44:58Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-S2S-2-ISPs-AWS/m-p/194568#M36222 <P>Have you tried this? <A href="https://support.checkpoint.com/results/sk/sk108958" target="_blank">https://support.checkpoint.com/results/sk/sk108958</A>&nbsp;</P> Mon, 09 Oct 2023 19:47:56 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-S2S-2-ISPs-AWS/m-p/194568#M36222 PhoneBoy 2023-10-09T19:47:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-S2S-2-ISPs-AWS/m-p/194707#M36256 <P>Andy,</P><P>This scenario is common, how would I do VPN redundancy using VTI/AWS?</P><P>Is there no possibility?</P><P>Tks</P><P>Cristian Rosa</P> Tue, 10 Oct 2023 19:08:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-S2S-2-ISPs-AWS/m-p/194707#M36256 IMCristian_Rosa 2023-10-10T19:08:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-S2S-2-ISPs-AWS/m-p/194708#M36257 <P><SPAN>Hello, PhoneBoy</SPAN><BR /><BR /><SPAN>Tks for feedback.</SPAN><BR /><BR /><SPAN>What I need is ISP redundancy to have redundancy between two tunnels.</SPAN></P> Tue, 10 Oct 2023 19:08:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-S2S-2-ISPs-AWS/m-p/194708#M36257 IMCristian_Rosa 2023-10-10T19:08:38Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-S2S-2-ISPs-AWS/m-p/194715#M36259 <P>From sk108958: "To detect when a tunnel goes down and to route traffic through the second tunnel, we use BGP."</P> Tue, 10 Oct 2023 20:16:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-S2S-2-ISPs-AWS/m-p/194715#M36259 PhoneBoy 2023-10-10T20:16:38Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-S2S-2-ISPs-AWS/m-p/194719#M36261 <P>Hi,<BR /><BR /></P><P>But in this case, the reference is to the second tunnel on the AWS side. In AWS there will be redundancy, but on the Checkpoint side.</P><P>Note that there is only one peer/ISP on the Checkpoint side.<BR /><BR /><BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vpn aws.png" style="width: 430px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/22737iAD4A2C07EE5BAA9B/image-dimensions/430x394?v=v2" width="430" height="394" role="button" title="vpn aws.png" alt="vpn aws.png" /></span></P><P>Tks</P><P>Cristian Rosa</P> Tue, 10 Oct 2023 20:25:11 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-S2S-2-ISPs-AWS/m-p/194719#M36261 IMCristian_Rosa 2023-10-10T20:25:11Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-S2S-2-ISPs-AWS/m-p/194726#M36262 <P>We had a client who wanted similar thing and we did end up using BGP, though this was Azure, but literally the same concept.</P> Tue, 10 Oct 2023 20:55:42 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-S2S-2-ISPs-AWS/m-p/194726#M36262 the_rock 2023-10-10T20:55:42Z