topic Need Help Setting up New VPN in HA for Verizon M2M in SASE and Remote Access https://community.checkpoint.com/t5/SASE-and-Remote-Access/Need-Help-Setting-up-New-VPN-in-HA-for-Verizon-M2M/m-p/202849#M4204 <P>I would like some help with this if possible, I inherited this checkpoint setup and don't know how to configure so I was looking for some help. We currently have a Verizon M2M portal that we access using VTI on our firewall 3200's HA setup. I have to update our vpn to a new BGP solution because Verizon is doing away with the setup we have currently, they sent me these requirements but I don't where to start. Per the tech:</P><P>Perform this prior this is a sample of what needs to be done:</P><P>1. Add VTI interface IP's on Primary<BR />2. Enable BGP on Primary<BR />3. Add new backupVPN Circuit<BR />4. add VTI and BGP on backup Circuit<BR />5. add Prepend statement on backup circuit</P><P>On First Firewall:</P><P>Firewall1<BR />!<BR />interface Tunnel1<BR />nameif VTI_interface<BR />ip address 10.1.1.2 255.255.255.252<BR />tunnel source interface Outside<BR />tunnel destination 123.xxx.xxx.38<BR />tunnel mode ipsec ipv4<BR />tunnel protection ipsec profile VERIZON<BR />!</P><P><BR />router bgp 65535<BR />bgp log-neighbor-changes<BR />bgp bestpath compare-routerid<BR />address-family ipv4 unicast<BR />neighbor 10.1.1.1 remote-as 6167<BR />neighbor 10.1.1.1 activate<BR />network 0.0.0.0<BR />no auto-summary<BR />synchronization<BR />exit-address-family<BR />!</P><P>route VTI_interface 10.0.0.0 255.252.0.0 10.1.1.1 1</P><P><BR />crypto ipsec ikev1 transform-set VTI esp-aes-256 esp-sha-hmac<BR />crypto ipsec profile VERIZON<BR />set ikev1 transform-set VTI</P><P>&nbsp;</P><P>crypto ikev1 enable Outside</P><P>crypto ikev1 policy 40<BR />authentication pre-share<BR />encryption aes<BR />hash sha<BR />group 2<BR />lifetime 86400</P><P><BR />tunnel-group 123.xxx.xxx.38 type ipsec-l2l<BR />tunnel-group 123.xxx.xxx.38 ipsec-attributes<BR />ikev1 pre-shared-key *****<BR />!</P><P>&nbsp;</P><P><BR />Firewall2</P><P>!<BR />interface Tunnel2<BR />nameif VTI_interface<BR />ip address 10.1.4.2 255.255.255.252<BR />tunnel source interface Outside1<BR />tunnel destination 123.xx.xxx.250</P><P>tunnel mode ipsec ipv4<BR />tunnel protection ipsec profile VERIZON</P><P>!<BR />router bgp 65535<BR />bgp log-neighbor-changes<BR />bgp bestpath compare-routerid<BR />address-family ipv4 unicast<BR />neighbor 10.1.4.1 remote-as 6167<BR />neighbor 10.1.4.1 activate<BR />neighbor 10.1.4.1 route-map PREPEND out<BR />network 0.0.0.0<BR />no auto-summary<BR />no synchronization<BR />exit-address-family</P><P>route-map PREPEND permit 10</P><P>set as-path prepend 65535 65535<BR />!<BR />route-map PREPEND permit 20</P><P>!<BR />route VTI_interface 10.0.0.0 255.252.0.0 10.4.1.1 1</P><P><BR />crypto ipsec ikev1 transform-set VTI esp-aes-256 esp-sha-hmac<BR />crypto ipsec profile VERIZON<BR />set ikev1 transform-set VTI</P><P>crypto ikev1 enable Outside1</P><P>crypto ikev1 policy 40<BR />authentication pre-share<BR />encryption aes<BR />hash sha<BR />group 2<BR />lifetime 86400</P><P>tunnel-group 123.xxx.xxx.250 type ipsec-l2l<BR />tunnel-group 123.xxx.xxx.250 ipsec-attributes<BR />ikev1 pre-shared-key *****<BR />!</P> Thu, 11 Jan 2024 16:51:08 GMT chueymtz 2024-01-11T16:51:08Z Need Help Setting up New VPN in HA for Verizon M2M https://community.checkpoint.com/t5/SASE-and-Remote-Access/Need-Help-Setting-up-New-VPN-in-HA-for-Verizon-M2M/m-p/202849#M4204 <P>I would like some help with this if possible, I inherited this checkpoint setup and don't know how to configure so I was looking for some help. We currently have a Verizon M2M portal that we access using VTI on our firewall 3200's HA setup. I have to update our vpn to a new BGP solution because Verizon is doing away with the setup we have currently, they sent me these requirements but I don't where to start. Per the tech:</P><P>Perform this prior this is a sample of what needs to be done:</P><P>1. Add VTI interface IP's on Primary<BR />2. Enable BGP on Primary<BR />3. Add new backupVPN Circuit<BR />4. add VTI and BGP on backup Circuit<BR />5. add Prepend statement on backup circuit</P><P>On First Firewall:</P><P>Firewall1<BR />!<BR />interface Tunnel1<BR />nameif VTI_interface<BR />ip address 10.1.1.2 255.255.255.252<BR />tunnel source interface Outside<BR />tunnel destination 123.xxx.xxx.38<BR />tunnel mode ipsec ipv4<BR />tunnel protection ipsec profile VERIZON<BR />!</P><P><BR />router bgp 65535<BR />bgp log-neighbor-changes<BR />bgp bestpath compare-routerid<BR />address-family ipv4 unicast<BR />neighbor 10.1.1.1 remote-as 6167<BR />neighbor 10.1.1.1 activate<BR />network 0.0.0.0<BR />no auto-summary<BR />synchronization<BR />exit-address-family<BR />!</P><P>route VTI_interface 10.0.0.0 255.252.0.0 10.1.1.1 1</P><P><BR />crypto ipsec ikev1 transform-set VTI esp-aes-256 esp-sha-hmac<BR />crypto ipsec profile VERIZON<BR />set ikev1 transform-set VTI</P><P>&nbsp;</P><P>crypto ikev1 enable Outside</P><P>crypto ikev1 policy 40<BR />authentication pre-share<BR />encryption aes<BR />hash sha<BR />group 2<BR />lifetime 86400</P><P><BR />tunnel-group 123.xxx.xxx.38 type ipsec-l2l<BR />tunnel-group 123.xxx.xxx.38 ipsec-attributes<BR />ikev1 pre-shared-key *****<BR />!</P><P>&nbsp;</P><P><BR />Firewall2</P><P>!<BR />interface Tunnel2<BR />nameif VTI_interface<BR />ip address 10.1.4.2 255.255.255.252<BR />tunnel source interface Outside1<BR />tunnel destination 123.xx.xxx.250</P><P>tunnel mode ipsec ipv4<BR />tunnel protection ipsec profile VERIZON</P><P>!<BR />router bgp 65535<BR />bgp log-neighbor-changes<BR />bgp bestpath compare-routerid<BR />address-family ipv4 unicast<BR />neighbor 10.1.4.1 remote-as 6167<BR />neighbor 10.1.4.1 activate<BR />neighbor 10.1.4.1 route-map PREPEND out<BR />network 0.0.0.0<BR />no auto-summary<BR />no synchronization<BR />exit-address-family</P><P>route-map PREPEND permit 10</P><P>set as-path prepend 65535 65535<BR />!<BR />route-map PREPEND permit 20</P><P>!<BR />route VTI_interface 10.0.0.0 255.252.0.0 10.4.1.1 1</P><P><BR />crypto ipsec ikev1 transform-set VTI esp-aes-256 esp-sha-hmac<BR />crypto ipsec profile VERIZON<BR />set ikev1 transform-set VTI</P><P>crypto ikev1 enable Outside1</P><P>crypto ikev1 policy 40<BR />authentication pre-share<BR />encryption aes<BR />hash sha<BR />group 2<BR />lifetime 86400</P><P>tunnel-group 123.xxx.xxx.250 type ipsec-l2l<BR />tunnel-group 123.xxx.xxx.250 ipsec-attributes<BR />ikev1 pre-shared-key *****<BR />!</P> Thu, 11 Jan 2024 16:51:08 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Need-Help-Setting-up-New-VPN-in-HA-for-Verizon-M2M/m-p/202849#M4204 chueymtz 2024-01-11T16:51:08Z Re: Need Help Setting up New VPN in HA for Verizon M2M https://community.checkpoint.com/t5/SASE-and-Remote-Access/Need-Help-Setting-up-New-VPN-in-HA-for-Verizon-M2M/m-p/202954#M4205 <P>You would need to configure a route-based VPN on the Check Point side.<BR />See:&nbsp;<A href="https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SitetoSiteVPN_AdminGuide/Content/Topics-VPNSG/Route-Based-VPN.htm" target="_blank">https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SitetoSiteVPN_AdminGuide/Content/Topics-VPNSG/Route-Based-VPN.htm</A>&nbsp;</P> Fri, 12 Jan 2024 20:05:37 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Need-Help-Setting-up-New-VPN-in-HA-for-Verizon-M2M/m-p/202954#M4205 PhoneBoy 2024-01-12T20:05:37Z