Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Blason_R
Advisor

Can we achieve IPsec VPN redundancy with AWS using MEP?

Hi Team,

 

I have 5400 pair of firewalls in cluster and have ISP redundancy configured on it. Since I have two IPS links terminated on my cluster wanted to know if I can configure IPsec VPN redundancy in policy based VPN with AWS? Since AWS does provide VTI tunnels and demands run dynamic protocols over tunnel to achieve redundancy like BGP ECMP or similar. 

Can we achieve IPsec VPN redundancy with using MEP then with 3rd party vpn provider?

 

TIA

0 Kudos
8 Replies
PhoneBoy
Admin
Admin

Generally the only reliable way to do VPN with AWS is going the VTI/BGP route.
Can you make that work with ISP Redundancy? I would assume so.

MEP with third parties requires R80.30+ and use of DPD.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
No idea if that will work with AWS or not.

0 Kudos
Blason_R
Advisor

No VTI with BGP and I am sure Check Point does not support Failover or redundancy. Its becuase even if Check Point has multiple ISP interfaces the settings on VPN Link selection allows only IP address to negotiate with Peer and in this case there is only one IP address can be configured. Again once the tunnel is up between peers then VTI IP addresses negotiate route tables. 

Hence I am pretty sure VPN redundancy can not be achieved with VTI from Check Point end. I was wondering about policy based VPN using DPD.

0 Kudos
Blason_R
Advisor

Hi,

Does MEP supports this solution? If Check Pont has multiple interfaces can we form the different tunnels using MEP?

 

0 Kudos
PhoneBoy
Admin
Admin

MEP doesn't necessarily allow this either, except for the remote end of the connection.
On the local end, you're still using the Link Selection setting.
The Link Selection setting can be used to specify the source IP based on the interface the traffic is routed out.

0 Kudos
Blason_R
Advisor

Correct - So if remote end has two links we can set it up using MEP but local end has dual link I really doubt we can switch the traffic over to other link if one of ISP at local end is down.

 

0 Kudos
PhoneBoy
Admin
Admin

Again, the Link Selection setting can be used to specify the source IP based on the interface traffic is routed out.
And ISP Redundancy (or some clever routing settings) can fail over to the other ISP.

But, again, you're way better off doing all this with BGP+VTI the way Amazon recommends.

0 Kudos
Blason_R
Advisor

Yes - However I am trying to achieve VPN redundancy with local gateway and all those settings specified on VPN link selection page are only applicable to RDP I believe not with DPD.

 

0 Kudos
PhoneBoy
Admin
Admin

With R80.30+ it should also apply to DPD, as far as I know.

0 Kudos