https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/59496#M506 I want to mention that the new Check Point Maestro does not support VTI. It can be found under sk148074 Check Point Maestro Known Limitation. Would have saved me days of work if I read it earlier Fri, 02 Aug 2019 13:42:06 GMT Cyber_Serge 2019-08-02T13:42:06Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/47344#M463 <P>實作 VTI unnumbered with 3rd party (FortiGate 60C, Juniper SSG5)，以下是簡略的 memo 留存。(只記錄我方重點步驟，其餘留default，或二端匹配之VPN設定)</P><P>VTI unnumbered<BR />1. GaIA - add vpn tunnel 1 type unnumbered local peer peergwname dev eth0<BR />2. GaIA - set static-route xx.xx.xx.xx/yy nexthop gateway logical vpnt1 on<BR />3. SmartConsole - Create a empty Group object. (I.E. VPN_Empty)<BR />4. SmartConsole - Create a Interoperable Devices - IPv4 Address<BR />5. SmartConsole - Modify Interoperable Devices - Topology - VPN Domain - Manually defined - VPN_Empty<BR />5. SmartConsole - Create a community with two firewall peers.</P> Mon, 18 Mar 2019 05:56:27 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/47344#M463 George_Liu 2019-03-18T05:56:27Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/47357#M464 <P>You found detail&nbsp; informations here:</P> <P><A href="https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_SitetoSiteVPN_AdminGuide/html_frameset.htm" target="_self">Site to Site VPN Administration Guide R80.10</A></P> Mon, 18 Mar 2019 06:39:50 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/47357#M464 HeikoAnkenbrand 2019-03-18T06:39:50Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/47358#M465 Tip:<BR />-use IKEv1<BR />-use same ProxyID<BR />- on ssg side:<BR /> - add gateway<BR /> - add VPN tunnel Interface <BR /> - add route<BR /> - add VPN role<BR /><BR /> Mon, 18 Mar 2019 06:55:16 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/47358#M465 HeikoAnkenbrand 2019-03-18T06:55:16Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/48367#M467 <P>需注意corexl問題,在R77.30之前route based vpn不支援。</P> Sat, 23 Mar 2019 04:17:20 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/48367#M467 Neville_Kuo 2019-03-23T04:17:20Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/48409#M468 <P>通过static route priority能做出来两条route based vpn是Active/Standby的效果吗？</P> Sun, 24 Mar 2019 10:51:25 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/48409#M468 Dawei_Ye 2019-03-24T10:51:25Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/48416#M469 <P>當然可以,還可以做route monitor,或者配合dynamic routing做出漂亮的流量工程。</P> Sun, 24 Mar 2019 12:56:17 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/48416#M469 Neville_Kuo 2019-03-24T12:56:17Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/48942#M470 拜读过N大的Route-based vpn with OSPF.<BR />最近在测试route-based vpn ,当中需要用到pbr，好像pbr没办法通过priority来切换。<BR />还在测试中…… Thu, 28 Mar 2019 02:19:20 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/48942#M470 Dawei_Ye 2019-03-28T02:19:20Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/48947#M471 <P>如果您的PBR的next hop是多個IP,那我們的經銷夥伴測試過了,看來是不行,CP的routing功能不強。</P> Thu, 28 Mar 2019 06:41:42 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/48947#M471 Neville_Kuo 2019-03-28T06:41:42Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/48954#M472 嗯，我们有两条VPN Tunnel，想通过pbr中next hop优先级来做active/standby。<BR />看样子只能用dynamic routing了？ Thu, 28 Mar 2019 07:05:01 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/48954#M472 Dawei_Ye 2019-03-28T07:05:01Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/49015#M474 <P>如果需求只是這樣,那您就更應該考慮用dynamic routing了,試試用簡單的RIP,兩個interface設定不同cost,就可以達到您要的效果了,在小範圍裡它算最好上手的routing protocol了,當然記得policy要allow RIP,如果用OSPF更好。</P><P>PBR對securexl有反效果,所以對效能也有不好影響,我個人不建議也不喜歡。</P> Thu, 28 Mar 2019 12:10:29 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/49015#M474 Neville_Kuo 2019-03-28T12:10:29Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/50061#M479 <P>unnumber vti 不支持 route ping monitor，最近測試發現的，現在準備試看看 vti number 能不能實現這個需求。</P> Sun, 07 Apr 2019 13:39:16 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/50061#M479 George_Liu 2019-04-07T13:39:16Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/50068#M480 <P>喬治哥:</P><P>基本上您的需求把vti介面設IP就對了,我們有個客戶跑了3條route based vpn,都有做route monitoring。</P><P>這個情況很正常,因為unnumber其實是和實體介面"借"了一個IP過來,如果要做route monitoring,對底層的OS而言,它會不知道要帶實體介面或者vti去ping next hop的,因為IP都是同一個。</P><P>假設Route based vpn架構單純(只有兩個點),懶得幫vti介面想IP,卻又要讓某些需要NAT traversal的應用(如IPsec或VOIP)封包通過的話,直接用unnumber很適合,因為您的目的只是為了有IP可以去轉換而已,但是如果像我們常會遇到Dynamic routing, route monitor,或vti有多個next hop的需求時, unnumber是行不通的。</P><P>所以後來我都不用unnumber interface了,即使架構簡單。</P><P>&nbsp;</P> Sun, 07 Apr 2019 15:03:00 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/50068#M480 Neville_Kuo 2019-04-07T15:03:00Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/50371#M481 <P>受益了。</P> Wed, 10 Apr 2019 03:34:31 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/50371#M481 George_Liu 2019-04-10T03:34:31Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/50372#M482 <P>To Dawei</P><P>實作 vti number + static route ping monitor + static route priority 可達到您要的 active /standby 線路需求。</P> Wed, 10 Apr 2019 03:36:14 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/50372#M482 George_Liu 2019-04-10T03:36:14Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/50692#M483 乔治哥，<BR /><BR />确实static route应该是可以的。<BR />后续我们使用了N大建议的OSPF，但是我这边是在AWS上测试，发现一个很奇怪的现象：<BR />由于我是通过Route-based VPN建立的OSPF，在AWS上ClusterXL切换最长可能要40+s，正好大于了OSPF的dead timer.<BR /><BR />所以，几乎每次都会切到另外一个neighbor，再切回来。<BR />而且我们发现，如果过了Dead Time,ClusterXL切换还没完成的话，有很大概率会发生主线路的route-based VPN不通的情况。<BR /><BR />大概需要30分钟，甚至更长，才能恢复。<BR />这时由于priority和cost的设置，路由会切回active线路。 Fri, 12 Apr 2019 05:23:39 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/50692#M483 Dawei_Ye 2019-04-12T05:23:39Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/50707#M484 <P>在公有雲上要想想別的辦法了,傳統的clusterxl機制不再,改成用API的方式,所以時間會比以前長很多,這好像是沒有辦法的事。</P> Fri, 12 Apr 2019 09:02:35 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/50707#M484 Neville_Kuo 2019-04-12T09:02:35Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/50830#M485 <P>对的。API的方式，没法改变。<BR />不过，我说的30分钟不是clusterXL failover的时间，正常failover的时间在40-60s左右。<BR /><BR />但是VPN这个问题，我现在只能开SR请TAC帮忙了。不知道能不能解决。</P> Sat, 13 Apr 2019 15:43:19 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/50830#M485 Dawei_Ye 2019-04-13T15:43:19Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/53258#M499 <P>在R80.30的新功能可以試試,我還沒玩過:</P><P><STRONG>Advanced Routing</STRONG></P><UL><LI>Multihop Ping and Multiple ISPs in Policy-Based Routing</LI><LI>Multihop Ping in Static Routes</LI><LI>BFD in Static Routes</LI><LI>VSX VSID in Netflow</LI></UL><P>但是Public cloud的R80.30不知道釋出了沒有。</P> Mon, 13 May 2019 02:12:31 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/53258#M499 Neville_Kuo 2019-05-13T02:12:31Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/53267#M500 上周部署AWS暂时还没有R80.30。<BR />之前的问题后面用了BGP来解决。但是后面发现AWS上，在HA切换后Route-based VPN会起不来，导致BGP路由学不到。<BR />还在和TAC沟通中。 Mon, 13 May 2019 04:56:00 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/53267#M500 Dawei_Ye 2019-05-13T04:56:00Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/53479#M501 今天突然发现sk104418中提到：<BR />Route Based VPN (with VTI) is not supported over cluster solution.<BR /><BR />…… Wed, 15 May 2019 07:03:00 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/VTI-unnumbered-with-3rd-party/m-p/53479#M501 Dawei_Ye 2019-05-15T07:03:00Z