topic Numbered VTIs between 2 centrally managed CheckPoint clusters in General Topics

Numbered VTIs between 2 centrally managed CheckPoint clusters

Philip_W — Thu, 11 Jul 2019 13:17:15 GMT

Hi Checkmates,

I found some topics in this Community concerning VTIs, but all scenarios seem different to mine so I'm asking you guys for your insights.

We have 2 CheckPoint clusters, both centrally managed in the same SMS. One is Openserver R77.30, the other is a 1450 cluster R77.20.8x. In a normal situation, these sites communicate via MPLS. As a backup connection, we are required to configure an IPSEC site-to-site tunnel. To make failover (from MPLS to S2S) possible, I'm configuring VTI interfaces with routes with a higher metric.

I found some SKs about this (sk113735) and read "Configuring Numbered VTIs" in the Admin Guide but.

The Admin Guide describes how you create 1 VTI tunnel pair between the cluster and one gateway:

But we need this:

1) VTI pair between memberA1 and memberB1

2) VTI pair between memberA1 and memberB2

3) VTI pair between memberA2 and memberB1

4) VTI pair between memberA2 and memberB2

But this creates two tunnels, making it impossible to create working routing.

Or am I missing something?

Re: Numbered VTIs between 2 centrally managed CheckPoint clusters

G_W_Albrecht — Fri, 12 Jul 2019 08:03:53 GMT

I am puzzled a bit by your question: R77.30 could be a Load Sharing Cluster, the other is a 1450 cluster R77.20.8x that is only capable of HA Clustering, but despite that, a HA cluster consisting of two nodes has one external virtual cluster IP - so you only need one tunnel between the two external virtual cluster IPs.

Re: Numbered VTIs between 2 centrally managed CheckPoint clusters

Philip_W — Fri, 12 Jul 2019 09:10:03 GMT

Hmmm, actually this is more a question of how to configure the VTI interface between clusters:

(screenshot from sk113735)

Cluster1 we have (example IPs)

member1 vti local ip 10.10.10.10, remote ip 20.20.20.1

member2 vti local ip 10.10.10.11, remote ip 20.20.20.1

cluster VIP: 10.10.10.1

Cluster2:

member1 vti local ip 20.20.20.20, remote ip 10.10.10.1

member2 vti local ip 20.20.20.21, remote ip 10.10.10.1

cluster VIP: 20.20.20.1

I couldn't get it working like this, so I was guessing this config is wrong.

Re: Numbered VTIs between 2 centrally managed CheckPoint clusters

G_W_Albrecht — Fri, 12 Jul 2019 09:56:51 GMT

You have Site to Site VPN Administration Guide R80.30 and on p.83 you see: Configuring VTIs in a Clustered Environment - you only have to transfer the config to two clusters.