Hi Ole,

If you are not using the VTI does this mean you plan to send traffic between your on-prem and the TransitVPC gateways in the clear over the internet or were you planning to use domain-based VPN instead?

Hi Yoayan,

Thanks for your reply.

I have a Direct Connect line, which is a closed circuit from on-prem directly to a AWS region Data center. Therefore, no traffic from on-prem to AWS will transmitted over the internet.

The guides say that either way, Direct Connect or internet, you have to use VTI to connect your on-prem gateway to the gateways int the AWS Transit VPC, because of the BGP peering.

As I run VSX on my on-prem gateway that terminates the Direct Connection, I can't use VTI because it is not supported on VSX.

Therefore, I was think that I could skip the VTI interfaces and use BGP multihop for the peering between my on-prem gw and the Transsit gw.

My only concern is, will it work with BGP multihop?

Cheers

Ole

Hi Ole,

Can you point me to the exact place where it says you need VTI when using Direct Connect? 

I think it might be a mistake (I could be wrong, but that doesn't sound right...).

I haven't had much experience with Direct Connect (or with VSX for that matter) but as far as I know, it supports BGP so I suspect it will just work.

This can be easily tested - create a CP GW on a VPC and just test BGP and connectivity between your VSX and a single CP gateway.

The VTI is mainly used for the VPN tunnel. It's true that the BGP has a single hop, but since Direct Connect should support BGP I assume it's propagated along the route - again should be easily verified.

HTH

 Yonatan 

Hi Yonatan

This diagram is from sk120534 and uses a Direct Connect.

The SK uses VTI. It is also mentioned in the articles and guides I listed above. In the articles similary pictures is used both DC and VPN over internet is showed as exsamples for the same VTI configuration.

I hope that clarifies it.

I'll try to set up a test with BGP multihop.

BGP is supported in a VS on VSX.

Cheers

Ole

Hi,

This diagram is the typical way to do it.

The VTI's are between the CloudGuard gateways and the AWS VGW which is unattached and connected to DirectConnect.

So no need for VTI's in On-prem gateway.

Arnfinn

Hi Arnfinn,

Thanks for your reply.

If I understand you correct, BGP multihop is the way to go if I use Direct Connect?

Cheers

Ole

Well, if you create Route-Based VPN's between the CloudGuard gateways and the AWS VGW, you don't need BGP Multi-hop. BGP will run over the VPN between CloudGuard gateways and the AWS VGW. This is single hop.

Arnfinn

As I understand Route-Based VPN it is based on VTI interfaces. VTI is not supported on VSX.

Ole

VTI is currently not supported on VSX.

As I understand you don't need encryption for the traffic over the DirectConnect, so there is no need to have VTI support on the On-prem gateway.

There are Route-Based VPN's (uisng VTI's) between the CloudGuard gateways and the AWS VGW. Between the AWS VGW and On-prem there is the DirectConnect without VPN.

Arnfinn

So with no direct link (eg VTI) between on-prem gw and CG gw BGP multihop is needed for the peering to work. Right?

/O

Hi,

I don't see why. There will be an other BGP peering between the AWS VGW and On-prem (or Service Providers BGP router).

Arnfinn

Ok. I was just so hung up on the fact that I thought the Check Point gateways had to peer because that was how its described in the docs. Or at least that was how I read it.

So in short:

On-prem gw BGP peer to Service provider of Direct Connect router

GC gw BGP peer with VGW in Transit VPC

Ole

The VGW is not "in" the Transit VPC or any other VPC, it is unattached.

In short:

On-prem gateway BGP peer to Service provider BGP router of DirectConnect (optional)

Service provider BGP router of DirectConnect BGP peer to unattached AWS VGW.

unattached AWS VGW BGP peer to both CloudGuard gateways

Arnfinn

Then that settles it

Thank you for your help and I'm sorry that I didn't understand the documentation first time I read it

/O

I went through the whole comments.  Thank you for sharing.  I have a similar issue.  We are implementing Direct connect, but for now we have a VPN using a VSX virtual system to connect to a VGW.  We want to migrate that VPN connection to an actual pair of Cloud Guard Transit gateways.  When we do that VPN is established, but the request flows between a transit Cloud Guard FW in AZ1, which is routed through transit VPC, to its corresponding EC2 instance in a different VPC, in a a specific AZ.  The reply from that EC2 instance is routed through a transit Cloud Guard FW in AZ2 (Which is blocked because it is asymetric,  this CGFW didn't see the SYN coming). 

I got two different suggestions:

1. Checkpoint support mentioned that to fix this I was supposed to configure BGP between CG transit FW, and on-prem (VSX that doesn't support VTIs).  My question is:  is possible to setup BGP over two different VPNs using public IPs and private ASN between two CG transit FWs, and on-prem VSX?.  Will this fix my issues regarding asymmetric routing?

2.  Somebody else was mentioning to configure MEP on actual CG transit FWs to select an active, and a standby CG FW.  At the same time configure BGP routemaps with different priorities to make always a CG FW Active, and other one Standby.

Another question I have is:  Will this BGP implementation on my actual VS VPN firewall cause any potential impact on my other actual VPNs with third parties?.

Thanks for all suggestions I can get from you.