IPsec Enhanced Mode - tunnel redundancy

marcyn — Tue, 22 Apr 2025 13:30:16 GMT

Hi CheckMates,

Because I've not found answers to my questions in documentation and community ... I decided to just ask if anyone from you already have any experience with the new enhanced mode for IPSec that was introduced in R82.

What I want to achieve is IPsec redundancy.

With legacy mode I can do it for example that way:
1) configure ISP Redundancy ... here provide Primary and Backup interfaces and check "Apply settings to VPN traffic" - it will automatically change Link Selection as probing:

2) then I can create two Interoperable Devices in case peer also has two ISPs (1st = Peer's ISP1, 2nd = Peer's ISP2)
3) and VPN Community object with 3 gateways (Check Point + 2x Interoperable Devices with the same VPN Domain)

With the above configuration everything works as expected - once my Primary ISP will fail new IPSec tunnel is instantly established via Backup ISP.
Then when Primary ISP will be back online ... I will have two IPSec tunnels unless I will shutdown this one that is already establised via Backup ISP.... and with this Check Point will send traffic via Primary ISP, and will receive response via Backup ISP (a little strange ... but also expected if peer will not switch to this "repaired" Check Point's primary ISP).

So everything is fine... except one minor issue.
For some reason Check Point is using Main IP for "local ID" in IPsec and not the one from Link Selection.
So if my Main IP is for example from my management network tunnel will not be established unless I will provide this Main IP in peer's configuration for IPsec. Without ISP Redundancy "local ID" is the same that is selected in "Link selection".
Probably it can be changed in GuiDbEdit ... but yeah ... it's weak.
If you don't understood what I meant ... this screenshot should explain it:

Above screenshot shows information from peer's log ... as you can see it receives from Check Point 10.99.99.105 instead of 203.0.113.253.

I decided to check this new enhanced mode.
I expected that it should work like that:
1) for Check Point I'm selecting Primary and Backup interface
2) then I have one Interoperable Device with two IPs (external) and here also one will be Primary, another Backup
And if everything will be fine they should connect via Primary<->Primary.
In case any of ISPs should fail it will be Primary<->Backup or Backup<->Primary, or Backup<->Backup.
But ... it doesn't work like that...

First issue:

I can't have "Auto" for both interfaces ... so I need to select "Next Hop IP Address".
So ... I selected Next Hop IP Address for one of them ... and it didn't work at all - no IPsec tunnel was established with peer.
Then after some strugling and troubleshooting I've found that Next Hop IP Address was wrong one.
For me ... Next Hop in this case = my gateway .... but I had to change it to Peer's IP ! ... so it should be named "Peer's IP"... really strange.
With that tunnel was established via Primary<->Primary.
Then I decided to break connection for this Primary interface.
I expected that new tunnel sbould be established via Backup interface ... it took like one minute and then it was established between Backup<->Backup.
It's not what I expected...

Do you have some experience with this ?
Can you show me what I'm doing wrong, what I could do better ?
How it should be done to achieve the best results ?

Best
m.

Re: IPsec Enhanced Mode - tunnel redundancy

marcyn — Tue, 22 Apr 2025 12:10:52 GMT

It looks like my previous tests with Enhanced Mode gave wrong results ... I was testing this on HyperV.

Another test but this time on Proxmox gave expected results... in both cases that I wanted to test:

Option 1:
Two ISPs on Check Point, one ISP on peer:

Option 2:
Two ISPs on Check Point and peer:

In both cases it worked as expected:
1) when everything works we have tunnel between ISP1->ISP1
2) once ISP1 on Check Point site died tunnel was between ISP2<->ISP1
3) once ISP1 on Check Point returned tunnel was back between ISP1<->ISP1
4) once ISP1 on peer site died tunnel was between ISP1<->ISP2
etc,

**bleep** HyperV...

Best
m.

Re: IPsec Enhanced Mode - tunnel redundancy

the_rock — Tue, 22 Apr 2025 12:13:19 GMT

Thanks for that @marcyn . I tested this in my R82 lab a little bit last week and I really like the enhanced mode, great addition.

Andy

Re: IPsec Enhanced Mode - tunnel redundancy

marcyn — Tue, 22 Apr 2025 12:15:55 GMT

Hi Andy,
At first I also thought that I will love it ... but because I had this ackward results I lost hope...

... luckily I got it back now 🙂

Best
m.

Re: IPsec Enhanced Mode - tunnel redundancy

the_rock — Tue, 22 Apr 2025 12:19:44 GMT

Thats okay, like anything new, takes time to get to like it : - )

Andy

Re: IPsec Enhanced Mode - tunnel redundancy

PhoneBoy — Tue, 22 Apr 2025 12:50:35 GMT

Nice to know the new ISP Redundancy options in R82 worked for you.
Curious why it wasn't working so well in HyperV...

topic Re: IPsec Enhanced Mode - tunnel redundancy in Firewall and Security Management

IPsec Enhanced Mode - tunnel redundancy

Re: IPsec Enhanced Mode - tunnel redundancy

Re: IPsec Enhanced Mode - tunnel redundancy

Re: IPsec Enhanced Mode - tunnel redundancy

Re: IPsec Enhanced Mode - tunnel redundancy

Re: IPsec Enhanced Mode - tunnel redundancy