topic Re: Redundant VPN Tunnel in Spark Firewall (SMB)

Redundant VPN Tunnel

GabsOliv — Thu, 06 Dec 2018 00:54:36 GMT

On Main site, will have an appliance with two internet connection (two ISP’s), with fixed IP. One Remote sites, (one internet connection with fixed IP), I need to establish a VPN to the main site.

Target is established to one of the ISP’s, if it fails, automatically the tunnel will be established to the other.

We only can do this, using VTI, correct? or is there any other option?

Thanks

Re: Redundant VPN Tunnel

Pedro_Espindola — Thu, 06 Dec 2018 02:22:26 GMT

Actually, in the VPN site configuration, you can set it to HA. You don't need VTIs. Works very well between 2 SMB appliances.

Are all the sites Check Point appliances?

Re: Redundant VPN Tunnel

GabsOliv — Thu, 06 Dec 2018 09:06:06 GMT

All the sites will be checkpoint SMB appliances, but without HA.

Re: Redundant VPN Tunnel

GabsOliv — Thu, 06 Dec 2018 09:07:14 GMT

Re: Redundant VPN Tunnel

G_W_Albrecht — Thu, 06 Dec 2018 11:37:46 GMT

So you plan using ISP Load Sharing ? As you wrote, without HA...

Re: Redundant VPN Tunnel

GabsOliv — Thu, 06 Dec 2018 11:42:48 GMT

My plan is use ISP Load Sharing on the main site. Remote site's will connect to Main, using vpn. The S2S VPN will be established to Interface in ISP1. If ISP1 fails, need to establish S2S VPN to ISP2.

As far as i can see, the only way to do it is using VTI tunnels. Any other idea ?

Re: Redundant VPN Tunnel

G_W_Albrecht — Sun, 19 Mar 2023 09:26:13 GMT

No other idea.

Re: Redundant VPN Tunnel

Pedro_Espindola — Thu, 06 Dec 2018 13:04:25 GMT

"If ISP1 fails, need to establish S2S VPN to ISP2"

That is High Availability. You can use it domain based, no need to use VTIs. Here is what you have to do in the remote sites:

Re: Redundant VPN Tunnel

Ricardo_Gros — Thu, 06 Dec 2018 13:12:54 GMT

Hi Pedro,

Have you tried this with the main Site being on Load Sharing?

I´m wondering if this wont create confusion if the Tunnel is initiated from the Central Gateway.

Re: Redundant VPN Tunnel

Pedro_Espindola — Thu, 06 Dec 2018 13:30:50 GMT

He can also use the Load Sharing option.

Or he can set the option "only remote site initiates the connection" when configuring the site in the Main Gateway.

Re: Redundant VPN Tunnel

Ricardo_Gros — Thu, 06 Dec 2018 13:30:53 GMT

Hi Gabriel,

From the design it seems you want to have 2 Permanent tunnels as redundancy and not have 1 tunnel establish on active Link. I don´t think you can do this over ISP load sharing (but never tried) and the 2 option seems simpler.

For your design I think you need Route based VPN.

Re: Redundant VPN Tunnel

Pedro_Espindola — Thu, 06 Dec 2018 16:52:31 GMT

I had issues trying to use VTIs for redundancy. It works well on NON-SMB appliances, but how do I set the route as monitored in the little ones?

When Tunnel goes down, the primary route remains UP and we get no traffic.

Then I found out about the HA option, gave up on VTIs and had no more problems for SMB to SMB tunnels.

Re: Redundant VPN Tunnel

Ricardo_Gros — Fri, 07 Dec 2018 08:00:53 GMT

Hi,

When we did this we used Dynamic routing, so the routes where not advertised if one of the links was down.

At the time I did not find a way to have something like ping probing. However eventually if you route to the VTI interface directly (not the IP but the VTI ID can be selected) it removes the route? To be honest never tried this with static routes.

Re: Redundant VPN Tunnel

Pedro_Espindola — Fri, 07 Dec 2018 16:15:59 GMT

No, the route remains active no matter what happens. I guess only dynamic routing will work, as you said.

Re: Redundant VPN Tunnel

Chris_Atkinson — Fri, 17 Mar 2023 12:17:30 GMT

Correct, please refer known limitation: SMB-2668