topic Re: How can I setup a primary and backup S2S VPN tunnels in General Topics

How can I setup a primary and backup S2S VPN tunnels

Jacques_Spelier — Tue, 16 Jan 2018 19:49:08 GMT

Scenario:

1 local Checkpoint R80.10 gateway cluster (site L1) need to establish a primary site to site tunnel to remote Fortinet gateway (site R1) having HostA and HostB. A secondary remote site (R2) exists housing HostC sync'ed from R1 HostA. There is "link" between R1 and R2 managed by the Vendor. L1 gateway needs to have backup/secondary site to site tunnel to R2 in the event R1 gateway is not available.

Users behind L1 access HostA and HostB through primary tunnel to R1. Users behind L1 access HostC at R2 via primary tunnel to R1 and then link to R2.

Question: For us to have automatic failover of traffic destined to HostA, HostB and HostC to flow over the secondary tunnel, would configuring route statements on the gateway's OS with different priority work?

hostA nexthop gw X priority1 (flows over tunnel to R1)

hostA nexthop gw Y priority2 (flows over tunnel to R2)

Would the gw IP be the actual Fortinet IP or would it be an IP within the tunnel?

Note: This setup would be extended to another local site (L2) to provide redundancy in the event of losing L1.

Thanks.

Re: How can I setup a primary and backup S2S VPN tunnels

PhoneBoy — Wed, 17 Jan 2018 05:13:54 GMT

If you want the routing table to determine priority, you need to configure the VPN with VTIs.

See the Route-Based VPN section of: Site to Site VPN R80.10 - Part of Check Point Infinity

Re: How can I setup a primary and backup S2S VPN tunnels

Danny — Wed, 17 Jan 2018 07:47:11 GMT

You could also check if Domain Based VPN with Link Selection and Probing might be a solution for you.

Re: How can I setup a primary and backup S2S VPN tunnels

KennyManrique — Wed, 17 Jan 2018 13:06:59 GMT

Hello Danny,

I think Link Selection with Probing will not work in this case since there is a Fortinet device on the remote end.

This setting only work when you have another Check Point devices managed by the same security management, so at the policy install you are telling them to use RDP Probing to test the addresses on the list.

Dameon's recommendation of using Route Based VPN will be more adequate to this scenario. Since Fortinet supports this technology, the most adequate approach is use Numbered VTI. This way all the encryption is made according to the routing table and can define different priorities for the traffic. Also there is the advantage he's using R80.10, so Route Based VPN works without disabling CoreXL.

Regards.

Re: How can I setup a primary and backup S2S VPN tunnels

Danny — Wed, 17 Jan 2018 14:47:10 GMT

You are absolutely right as Link Selection Probing relies on a Check Point proprietary protocol. I was just giving a more open answer to others reading this sometimes being in a similar situation. In cases where you are limited to Domain Based VPN (e.g. VSX users - sk110519, sk30975, sk79700) your only choice is to evaluate and go with Link Selection. If your VPN partner doesn't have a Check Point solution you might need to set up a dedicated Non-VSX VPN Gatetway and use VTIs or please your VPN partner to use Check Point .

Re: How can I setup a primary and backup S2S VPN tunnels

Jacques_Spelier — Thu, 18 Jan 2018 15:32:38 GMT

Thanks everyone for the useful feedback. Any concerns with the same local gateways terminating other different VPNs in a different configuration? more than 3 communities,some mesh, some star.

Re: How can I setup a primary and backup S2S VPN tunnels

VENKAT_S_P — Tue, 23 Jan 2018 17:42:18 GMT

Can i configure both numbered and unnumbered VTI on the same box?

unnumbered with ospf and numbered with bgp?

Just to Note: according to R80.10 admin guide it says 1-99 VTI, but when checked it can scale up to 0..32768.

Re: How can I setup a primary and backup S2S VPN tunnels

VENKAT_S_P — Tue, 23 Jan 2018 19:17:04 GMT

Seems like the configs shown under "Configuring member_GWA1" needs correction.

Site to Site VPN R80.10 Administration Guide

================

--------- Add vt-GWb

VPN shell:[/] > /interface/add/numbered 10.0.1.11 10.0.0.2 GWb

Interface 'vt-GWb' was added successfully to the system

--------- Add vt-GWc

VPN shell:[/] > /interface/add/numbered 10.0.1.21 10.0.0.3 GWc

Interface 'vt-GWc' was added successfully to the system

================

I checked one for R77 and found the same.

Route Based VPN

Re: How can I setup a primary and backup S2S VPN tunnels

Albert_Wilkes — Mon, 24 Feb 2020 12:00:40 GMT

While probing is likely to fail using CP proprietary RDP with 3rd party devices, there is some value in link selection. Rather than relying on RDP to find the path, you could rely on the 3rd party device decision as discussed here as well:
https://community.checkpoint.com/t5/General-Topics/IPSec-VPN-Link-Selection/m-p/10729/highlight/true#M1542
If you can get the remote peer to establish the session first you should be golden using "reply from same interface".