topic Re: Redundant Site to Site VPNs in SASE and Remote Access

Redundant Site to Site VPNs

Rodrigo_Castell — Thu, 19 Apr 2018 15:00:35 GMT

Has anyone been able to set this up between Check Point and third party devices ? Its Palo Alto in this case. And I will be using different public IPs on local and remote peers.

Do I create a new community with the secondary Peer IP Address? Or add a gateway to the existing community ? What happens with routes (I added another route with higher metric for secondary IP peer)? How does Check Point disable the primary route so the secondary route kicks in if the primary VPN tunnel does down ?

I know Palo has something that monitors an IP and if it goes down it disables the primary interface so seconday kicks in. Im just wondering whats the best way to do this on my Check Point side.

Re: Redundant Site to Site VPNs

Rodrigo_Castell — Fri, 20 Apr 2018 15:15:13 GMT

Its a work in progress, Im missing something.

On Check Point side, secondary IP added to the same community, added the secondary route for remote network to the routing table.

Palo Alto doing its thing with tunnel monitoring.

On testing (Logically bringing down the tunnel and/or physically disconnecting interface) ping is acting a bit strange giving timeouts, yet others services like https, snmp, etc. are working correctly.

Re: Redundant Site to Site VPNs

PhoneBoy — Fri, 20 Apr 2018 17:17:11 GMT

Are you doing this as a domain-based VPN or route-based?

Route-based might be the better way to do it.

Re: Redundant Site to Site VPNs

Rodrigo_Castell — Fri, 20 Apr 2018 18:24:28 GMT

Yep, Im using Route-Based.

Re: Redundant Site to Site VPNs

Saad_Nizam — Sun, 12 Aug 2018 12:39:25 GMT

Is it possible to share your configuration on "secondary IP added to the same community" ? How was this done ?

I am trying to do this in on my environments, will be helpful.

Thnks

Re: Redundant Site to Site VPNs

Rodrigo_Castell — Tue, 14 Aug 2018 22:18:55 GMT

Hi,

I added a new Interoperable Device to the existing VPN Community.

Re: Redundant Site to Site VPNs

Lucas_Piris — Sun, 19 Aug 2018 15:05:18 GMT

Hi Rodrigo,

Do you need this VPN works was active/standby?

A few days, I tested a similar scenary with AWS using BGP, to keep all VPN´s UP, i created a PBR to destination IP of peer using the second gateway.

If you are using static route, do you need to create two routes using the peer ip tunnel (numbered) (not public) with priority, for example 1 for the primary tunnel and 2 for the second, for failover check de ping option on route.

And I added all interoperable devices in same community.

Lucas

Re: Redundant Site to Site VPNs

Rodrigo_Castell — Thu, 23 Aug 2018 20:45:07 GMT

Hi, Im using static routes with different priority and no ping failover.

Re: Redundant Site to Site VPNs

Netmagic_SOC — Wed, 20 Feb 2019 11:20:47 GMT

Hi.

What is solution here for asked question?

Re: Redundant Site to Site VPNs

Blason_R — Tue, 15 Oct 2019 03:02:25 GMT

Did that work? I am trying to achieve the same thing with Frotigate firewalls and 5100 devices. What is the best solution then to achieve VPN Redundancy?

Re: Redundant Site to Site VPNs

mdjmcnally — Tue, 15 Oct 2019 07:01:38 GMT

I don't believe that an actual solution given/accepted as such however I believeif you configure a Route Based VPN and Ping the Remote VTI and then use Routes to give priority to 1 Tunnel over the other then should work looking at other solutions such as PurePort

https://help.pureport.com/support/solutions/articles/43000489357-vpn-config-guide-palo-alto-networks-ngfw-8-0-0-route-based-bgp-vpn

Very similar to the

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk100726&partition=General&product=IPSec

for AWS but should work the same.

Make sure enable the DPD Support on the Check Point.

Re: Redundant Site to Site VPNs

Blason_R — Tue, 15 Oct 2019 11:31:32 GMT

Or not sure if anyone has tried the redundancy with MEP in R80.30?

But I guess with dynamic protocol this can be very well achieved, right?