topic Re: S2S VPN failover using route based VPN in Firewall and Security Management

S2S VPN failover using route based VPN

shantilalSuthar — Thu, 11 Apr 2024 06:55:37 GMT

Hi Guys,

I have a requirement where i need to create two route-based ipsec tunnels between Checkpoint & third party vendor & there are around 500 clients to which i need to create tunnels in active/backup manner.

Kindly suggest how to achieve this.

Re: S2S VPN failover using route based VPN

Henrik_J — Thu, 11 Apr 2024 10:11:19 GMT

Hello!

First of all, you'd have to use route-based VPN as you said, instead of a pure policy-based VPN.

So what you do is define two VTI interfaces on the gateway, acting as the logical interfaces for the VPN, and then set up routing based off that, where you also set up which third party gateway it will communicate towards.

If you want to use static routes with IP tracking, or dynamic protocols such as OSPF or BGP is up to you, I would personally recommend dynamic protocol.

See this guide when it comes to the VTIs etc:
https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/Topics-VPNSG/Route-Based-VPN.htm

As for the VPN itself, you create a policy based VPN as usual, but leave the VPN domains as empty groups, (since the routing will decide what will traverse over the tunnel).

Re: S2S VPN failover using route based VPN

shantilalSuthar — Thu, 11 Apr 2024 11:31:21 GMT

Thanks for your suggestions but here my question is, Is it possible to keep two VPN tunnel active on different ISP ?

As i know we can only select single interface in link selection option of IPsec VPN.

Re: S2S VPN failover using route based VPN

Henrik_J — Thu, 11 Apr 2024 17:14:10 GMT

I mean, you could technically route your interoperable device IPs out on different ISPs with definitive /32 routes to their public IPs.

Should be possible.
Then you'd just use the routing in the VTI tunneling to decide which tunnel to use etc.

Re: S2S VPN failover using route based VPN

shantilalSuthar — Fri, 12 Apr 2024 04:31:18 GMT

It means link selection does not matter if we use route based VPN to select the outgoing tunnel ? Am i correct ?

Re: S2S VPN failover using route based VPN

Blason_R — Fri, 12 Apr 2024 05:26:48 GMT

From checkpoint end nope it is not possible since you can terminate tunnel only on one ISP. While you can create two tunnels with two ISP for remote end.

Re: S2S VPN failover using route based VPN

shantilalSuthar — Fri, 12 Apr 2024 06:34:38 GMT

that is what i was trying to tell. Only one tunnel will be UP at a time right ?? Do we need to use ISP redundancy for auto tunnel failover.