https://community.checkpoint.com/t5/SASE-and-Remote-Access/IPSec-Amazon-without-VTI/m-p/12878#M12901 <HTML><HEAD></HEAD><BODY><P>It's generally less reliable to not use VTIs with Amazon.</P><P>See:&nbsp;<A href="https://community.checkpoint.com/message/14458-re-ipsec-tunnel-to-aws-vpc-sporadically-drops-after-policy-install" target="_blank">https://community.checkpoint.com/message/14458-re-ipsec-tunnel-to-aws-vpc-sporadically-drops-after-policy-install</A>&nbsp;</P><P>You really should consider upgrading to R80.x.</P></BODY></HTML> Fri, 21 Jun 2019 09:03:10 GMT PhoneBoy 2019-06-21T09:03:10Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/IPSec-Amazon-without-VTI/m-p/12877#M12900 <HTML><HEAD></HEAD><BODY><P>Site2Site VPN (Amazon - Company)</P><P></P><P>We're running a firewall cluster based on R77.30 and what to setup a IPsec VPN tunnel with Amazon VPC</P><P></P><P>But there's a known issue with R77.30 and VTI's</P><P>See:</P><P><A class="link-titled" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk100726&amp;partition=General&amp;product=IPSec" title="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk100726&amp;partition=General&amp;product=IPSec">How to configure IPsec VPN tunnel between Check Point Security Gateway and Amazon Web Services VPC using static routes</A>&nbsp;</P><P></P><P><IMG class="image-1 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/76213_pastedImage_3.png" /></P><P>If CoreXL is disabled we see a very High CPU usuage.</P><P>That's why we want to setup an IPSec without VTI's, instead of updating to R88.10 first.</P><P></P><P>When downloading the Configuration file from Amazon:</P><UL><LI>Vendor: Generic</LI><LI>Platform: Generic</LI><LI>Software: Vendor Agnostic</LI></UL><P></P><P>Within the config file there's a part about the Inside IP Address</P><P></P><TABLE class="j-table jiveBorder" style="border: 1px solid #c6c6c6;" width="100%"><THEAD><TR style="background-color: #efefef;"><TH>The Customer Gateway inside IP address should be configured on your tunnel<BR />interface.</TH></TR></THEAD><TBODY><TR><TD>Outside IP Addresses:<BR />&nbsp; - Customer Gateway &nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : a.b.c.d.<BR />&nbsp; - Virtual Private Gateway&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : z.y.x.w<BR />&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;<BR />Inside IP Addresses<BR />&nbsp; - Customer Gateway&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;: 169.254.22.106/30<BR />&nbsp; - Virtual Private Gateway&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 169.254.22.105/30</TD></TR></TBODY></TABLE><P></P><P></P><P>How can I configure the inside Customer Gateway and Inside Virtual Private Gateway without using VTI's ?</P><P></P><P>The following SK article has been followed (sk113840)</P><P><A class="link-titled" href="https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&amp;eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk113840" title="https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&amp;eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk113840">How to configure IPsec VPN (non-VTI) tunnel between Check Point Security Gateway and Amazon Web Services VPC using stati…</A>&nbsp;</P><P></P><P>And:</P><P><A class="link-titled" href="https://aws.amazon.com/premiumsupport/knowledge-center/vpn-cgw-vpg-traffic/" title="https://aws.amazon.com/premiumsupport/knowledge-center/vpn-cgw-vpg-traffic/">Ensure VPN Tunnels Pass Traffic Between Customer Gateways and Virtual Private Gateways</A>&nbsp;</P><P></P><P>Please advice.</P><P></P><P>Regards,</P><P>Ray</P></BODY></HTML> Tue, 04 Dec 2018 13:46:36 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/IPSec-Amazon-without-VTI/m-p/12877#M12900 Raymond_Poede 2018-12-04T13:46:36Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/IPSec-Amazon-without-VTI/m-p/12878#M12901 <HTML><HEAD></HEAD><BODY><P>It's generally less reliable to not use VTIs with Amazon.</P><P>See:&nbsp;<A href="https://community.checkpoint.com/message/14458-re-ipsec-tunnel-to-aws-vpc-sporadically-drops-after-policy-install" target="_blank">https://community.checkpoint.com/message/14458-re-ipsec-tunnel-to-aws-vpc-sporadically-drops-after-policy-install</A>&nbsp;</P><P>You really should consider upgrading to R80.x.</P></BODY></HTML> Fri, 21 Jun 2019 09:03:10 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/IPSec-Amazon-without-VTI/m-p/12878#M12901 PhoneBoy 2019-06-21T09:03:10Z