topic IPsec S2S VPN Failover With 3rd Party Peer in General Topics

IPsec S2S VPN Failover With 3rd Party Peer

Digo11 — Wed, 12 Jul 2023 04:19:01 GMT

Hello Community.

Greetings to all.

I have a single 6700 R81.10 SG with an SMS in VM as the distributed deployment. I have two ISPs configured and defined as an external zone. I want to achieve IPsec tunnel failover, that is when ISP1 goes down, the tunnel should work through ISP2.

ISP redundancy is working properly. I have two default routes via ISP1 and ISP2 with different priorities. When ISP1 is down, traffic passes through ISP2.

I have configured two IPsec site-to-site VPNs using Mesh Topology. Initially, both the tunnels show up and I can reach to remote peer encryption domain (Internal Network) via the primary link or tunnel.

ISP1: 10.11.200.10 (GW 10.11.200.1) Default Route: 0.0.0.0 via 10.11.200..1 priority 1

ISP2: 192.168.6.90 (GW 192.168.6.1) Default Route: 0.0.0.0 via 192.168.6.1 priority 4

IPsec VPN Primary: ISP1 - 10.11.200.10 Remote Peer - 192.168.3.99

IPsec VPN Secondary ISP2 -192.168.6.90 Remote Peer - 192.168.244.75

The Problem: When I manually shut ISP1 interface the traffic does flow via ISP2 but the IPsec tunnel does not come up. I can not reach to remote peer encryption domain (Internal Network). CP still tries to answer the remote peer request using the same ISP1 I guess, When I enable the ISP1 the connection works fine again.

Tried every bit in the IPsec Link Selection section but no progress. Followed this guide https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_NextGenSecurityGateway_Guide/Topics-FWG/ISP-Redundancy-and-VPN.htm?tocpath=ISP%20Redundancy%20on%20a%20Security%20Gateway%7C_____2 but no luck.

Any guidance will be really helpful.

Thank you.

Digo.

Re: IPsec S2S VPN Failover With 3rd Party Peer

Blason_R — Wed, 12 Jul 2023 04:05:13 GMT

Is this policy based tunnel or route based tunnels? What does your settings show on IPSev VPN -> Link Selection?

Have you selected specific IP there?

Re: IPsec S2S VPN Failover With 3rd Party Peer

Digo11 — Wed, 12 Jul 2023 04:30:44 GMT

Hi @Blason_R

It's a Policy-based tunnel. IPsec link selection and ISP redundancy is configured as attached.

Regards,

Digo.

Re: IPsec S2S VPN Failover With 3rd Party Peer

Digo11 — Thu, 13 Jul 2023 06:06:40 GMT

Hello Community.

Can someone please guide me through the steps for getting the IPsec S2S tunnel failover done? I tried policy-based and route-based VPNs but the issue remains the same, the traffic does not switch to the secondary ISP or Tunnel in case the primary is down.

@Chris_Atkinson @Timothy_Hall @PhoneBoy @the_rock

Re: IPsec S2S VPN Failover With 3rd Party Peer

Blason_R — Thu, 13 Jul 2023 06:09:47 GMT

Actually its a limitation for sure and I have been struggling with this. However you can try with MEP feature and I used this in past but I still could not achieve it completely.

So if you ask me - it can not be achieved seamelessely.

Re: IPsec S2S VPN Failover With 3rd Party Peer

Digo11 — Thu, 13 Jul 2023 06:29:49 GMT

Hi @Blason_R

Thanks for the quick info. Various SK suggests it is achievable and I followed many of them (sk164355 sk53980 sk108600) and the Site to Site VPN R81.10 Administration Guide too. But none seemed to be helpful. I don't know if I am missing something here configuration-wise or if the flow is not correct.

Thanks,

Digo.