topic Re: Quantum Spark IPsec tunnel failover in Spark Firewall (SMB)

Quantum Spark IPsec tunnel failover

CheckCheckM — Fri, 17 Mar 2023 06:54:34 GMT

Hello all,

I have a question regarding quantum spark 1800 (R81.10), i have two ipsec between Check point add peer-firewalls with below scenario

. But i cannot setup auto failover for both tunnel, swing manual currently. Is there any idea to solve? thanks much, everyone.

Re: Quantum Spark IPsec tunnel failover

Chris_Atkinson — Fri, 17 Mar 2023 08:54:18 GMT

Locally or centrally managed appliance with domain or Route based tunnels?

Re: Quantum Spark IPsec tunnel failover

CheckCheckM — Fri, 17 Mar 2023 09:30:03 GMT

locally managed. i did using domain coz route base tunnel does not work.

Re: Quantum Spark IPsec tunnel failover

G_W_Albrecht — Fri, 17 Mar 2023 11:55:08 GMT

Redundant VPN Tunnel

Re: Quantum Spark IPsec tunnel failover

Chris_Atkinson — Fri, 17 Mar 2023 12:13:42 GMT

If the encryption domains are the same this will likely be problematic (sk114652).

Regarding route based, it didn't work in what way we're you using dynamic or static routing?

Else you may need to explore ISP redundancy.

Re: Quantum Spark IPsec tunnel failover

CheckCheckM — Fri, 17 Mar 2023 17:39:08 GMT

Thanks @Chris_Atkinson . I'm using static routing but i think, as my scenario, if possible, i prefer to setup route based coz wan link redundancy for both side.

Re: Quantum Spark IPsec tunnel failover

CheckCheckM — Fri, 17 Mar 2023 17:42:32 GMT

Thanks much @G_W_Albrecht . As my scenario, if possible, i prefer to setup route based coz wan link redundancy for both side. can u pls share route based config guide. Is that need to use VTI in router based?

If i used connection type HA with domain base, peer device (non-checkpoint) need to setup 4 tunnels like mesh. that's why, i prefer router based.

Re: Quantum Spark IPsec tunnel failover

Tom_Hinoue — Sun, 19 Mar 2023 02:15:53 GMT

Failover (metric based) using VTIs over 2 IPSec tunnels is currently a limitation and not supported.
We will need manual interaction to bring up/down the VTI interface upon tunnel failover.

Check Point R77.20.xx for 600 / 700 / 1100 / 1200R / 1400 / 910 Appliance Features and Known Limitations
>> SMB-2668 - When a VPN tunnel goes down, routes that use the associated VTI as a target (next hop) remain active. Therefore, you cannot use metric-based failover between routes to different VTIs.

Same goes for 1500/1600/1800 series.

Re: Quantum Spark IPsec tunnel failover

Chris_Atkinson — Sun, 19 Mar 2023 05:13:35 GMT

Unfortunately static routes won't work with route based VPNs for redundancy - known limitation.

If you need this specifically versus dynamic routing please discuss it further with your local SE as an RFE.

Re: Quantum Spark IPsec tunnel failover

CheckCheckM — Sun, 19 Mar 2023 07:58:37 GMT

Thanks for the great suggestion! @Tom_Hinoue i'm using r81.10.05 but still limitation as known regarding VPN Service based link selection. Hopefully in next firmware.