https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/50707#M484 <P>在公有雲上要想想別的辦法了,傳統的clusterxl機制不再,改成用API的方式,所以時間會比以前長很多,這好像是沒有辦法的事。</P> Fri, 12 Apr 2019 09:02:35 GMT Neville_Kuo 2019-04-12T09:02:35Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/47344#M463 <P>實作 VTI unnumbered with 3rd party (FortiGate 60C, Juniper SSG5)，以下是簡略的 memo 留存。(只記錄我方重點步驟，其餘留default，或二端匹配之VPN設定)</P><P>VTI unnumbered<BR />1. GaIA - add vpn tunnel 1 type unnumbered local peer peergwname dev eth0<BR />2. GaIA - set static-route xx.xx.xx.xx/yy nexthop gateway logical vpnt1 on<BR />3. SmartConsole - Create a empty Group object. (I.E. VPN_Empty)<BR />4. SmartConsole - Create a Interoperable Devices - IPv4 Address<BR />5. SmartConsole - Modify Interoperable Devices - Topology - VPN Domain - Manually defined - VPN_Empty<BR />5. SmartConsole - Create a community with two firewall peers.</P> Mon, 18 Mar 2019 05:56:27 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/47344#M463 George_Liu 2019-03-18T05:56:27Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/47357#M464 <P>You found detail&nbsp; informations here:</P> <P><A href="https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_SitetoSiteVPN_AdminGuide/html_frameset.htm" target="_self">Site to Site VPN Administration Guide R80.10</A></P> Mon, 18 Mar 2019 06:39:50 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/47357#M464 HeikoAnkenbrand 2019-03-18T06:39:50Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/47358#M465 Tip:<BR />-use IKEv1<BR />-use same ProxyID<BR />- on ssg side:<BR /> - add gateway<BR /> - add VPN tunnel Interface <BR /> - add route<BR /> - add VPN role<BR /><BR /> Mon, 18 Mar 2019 06:55:16 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/47358#M465 HeikoAnkenbrand 2019-03-18T06:55:16Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/48367#M467 <P>需注意corexl問題,在R77.30之前route based vpn不支援。</P> Sat, 23 Mar 2019 04:17:20 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/48367#M467 Neville_Kuo 2019-03-23T04:17:20Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/48409#M468 <P>通过static route priority能做出来两条route based vpn是Active/Standby的效果吗？</P> Sun, 24 Mar 2019 10:51:25 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/48409#M468 Dawei_Ye 2019-03-24T10:51:25Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/48416#M469 <P>當然可以,還可以做route monitor,或者配合dynamic routing做出漂亮的流量工程。</P> Sun, 24 Mar 2019 12:56:17 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/48416#M469 Neville_Kuo 2019-03-24T12:56:17Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/48942#M470 拜读过N大的Route-based vpn with OSPF.<BR />最近在测试route-based vpn ,当中需要用到pbr，好像pbr没办法通过priority来切换。<BR />还在测试中…… Thu, 28 Mar 2019 02:19:20 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/48942#M470 Dawei_Ye 2019-03-28T02:19:20Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/48947#M471 <P>如果您的PBR的next hop是多個IP,那我們的經銷夥伴測試過了,看來是不行,CP的routing功能不強。</P> Thu, 28 Mar 2019 06:41:42 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/48947#M471 Neville_Kuo 2019-03-28T06:41:42Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/48954#M472 嗯，我们有两条VPN Tunnel，想通过pbr中next hop优先级来做active/standby。<BR />看样子只能用dynamic routing了？ Thu, 28 Mar 2019 07:05:01 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/48954#M472 Dawei_Ye 2019-03-28T07:05:01Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/49015#M474 <P>如果需求只是這樣,那您就更應該考慮用dynamic routing了,試試用簡單的RIP,兩個interface設定不同cost,就可以達到您要的效果了,在小範圍裡它算最好上手的routing protocol了,當然記得policy要allow RIP,如果用OSPF更好。</P><P>PBR對securexl有反效果,所以對效能也有不好影響,我個人不建議也不喜歡。</P> Thu, 28 Mar 2019 12:10:29 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/49015#M474 Neville_Kuo 2019-03-28T12:10:29Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/50061#M479 <P>unnumber vti 不支持 route ping monitor，最近測試發現的，現在準備試看看 vti number 能不能實現這個需求。</P> Sun, 07 Apr 2019 13:39:16 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/50061#M479 George_Liu 2019-04-07T13:39:16Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/50068#M480 <P>喬治哥:</P><P>基本上您的需求把vti介面設IP就對了,我們有個客戶跑了3條route based vpn,都有做route monitoring。</P><P>這個情況很正常,因為unnumber其實是和實體介面"借"了一個IP過來,如果要做route monitoring,對底層的OS而言,它會不知道要帶實體介面或者vti去ping next hop的,因為IP都是同一個。</P><P>假設Route based vpn架構單純(只有兩個點),懶得幫vti介面想IP,卻又要讓某些需要NAT traversal的應用(如IPsec或VOIP)封包通過的話,直接用unnumber很適合,因為您的目的只是為了有IP可以去轉換而已,但是如果像我們常會遇到Dynamic routing, route monitor,或vti有多個next hop的需求時, unnumber是行不通的。</P><P>所以後來我都不用unnumber interface了,即使架構簡單。</P><P>&nbsp;</P> Sun, 07 Apr 2019 15:03:00 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/50068#M480 Neville_Kuo 2019-04-07T15:03:00Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/50371#M481 <P>受益了。</P> Wed, 10 Apr 2019 03:34:31 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/50371#M481 George_Liu 2019-04-10T03:34:31Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/50372#M482 <P>To Dawei</P><P>實作 vti number + static route ping monitor + static route priority 可達到您要的 active /standby 線路需求。</P> Wed, 10 Apr 2019 03:36:14 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/50372#M482 George_Liu 2019-04-10T03:36:14Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/50692#M483 乔治哥，<BR /><BR />确实static route应该是可以的。<BR />后续我们使用了N大建议的OSPF，但是我这边是在AWS上测试，发现一个很奇怪的现象：<BR />由于我是通过Route-based VPN建立的OSPF，在AWS上ClusterXL切换最长可能要40+s，正好大于了OSPF的dead timer.<BR /><BR />所以，几乎每次都会切到另外一个neighbor，再切回来。<BR />而且我们发现，如果过了Dead Time,ClusterXL切换还没完成的话，有很大概率会发生主线路的route-based VPN不通的情况。<BR /><BR />大概需要30分钟，甚至更长，才能恢复。<BR />这时由于priority和cost的设置，路由会切回active线路。 Fri, 12 Apr 2019 05:23:39 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/50692#M483 Dawei_Ye 2019-04-12T05:23:39Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/50707#M484 <P>在公有雲上要想想別的辦法了,傳統的clusterxl機制不再,改成用API的方式,所以時間會比以前長很多,這好像是沒有辦法的事。</P> Fri, 12 Apr 2019 09:02:35 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/50707#M484 Neville_Kuo 2019-04-12T09:02:35Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/50830#M485 <P>对的。API的方式，没法改变。<BR />不过，我说的30分钟不是clusterXL failover的时间，正常failover的时间在40-60s左右。<BR /><BR />但是VPN这个问题，我现在只能开SR请TAC帮忙了。不知道能不能解决。</P> Sat, 13 Apr 2019 15:43:19 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/50830#M485 Dawei_Ye 2019-04-13T15:43:19Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/53258#M499 <P>在R80.30的新功能可以試試,我還沒玩過:</P><P><STRONG>Advanced Routing</STRONG></P><UL><LI>Multihop Ping and Multiple ISPs in Policy-Based Routing</LI><LI>Multihop Ping in Static Routes</LI><LI>BFD in Static Routes</LI><LI>VSX VSID in Netflow</LI></UL><P>但是Public cloud的R80.30不知道釋出了沒有。</P> Mon, 13 May 2019 02:12:31 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/53258#M499 Neville_Kuo 2019-05-13T02:12:31Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/53267#M500 上周部署AWS暂时还没有R80.30。<BR />之前的问题后面用了BGP来解决。但是后面发现AWS上，在HA切换后Route-based VPN会起不来，导致BGP路由学不到。<BR />还在和TAC沟通中。 Mon, 13 May 2019 04:56:00 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/53267#M500 Dawei_Ye 2019-05-13T04:56:00Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/53479#M501 今天突然发现sk104418中提到：<BR />Route Based VPN (with VTI) is not supported over cluster solution.<BR /><BR />…… Wed, 15 May 2019 07:03:00 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/53479#M501 Dawei_Ye 2019-05-15T07:03:00Z