This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Blason_R
MVP Gold
MVP Gold
‎2021-07-11 10:29 PM

Can we achieve IPsec VPN redundancy with AWS using MEP?

Hi Team,

 

I have 5400 pair of firewalls in cluster and have ISP redundancy configured on it. Since I have two IPS links terminated on my cluster wanted to know if I can configure IPsec VPN redundancy in policy based VPN with AWS? Since AWS does provide VTI tunnels and demands run dynamic protocols over tunnel to achieve redundancy like BGP ECMP or similar. 

Can we achieve IPsec VPN redundancy with using MEP then with 3rd party vpn provider?

 

TIA

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2021-07-11 10:51 PM

Generally the only reliable way to do VPN with AWS is going the VTI/BGP route.
Can you make that work with ISP Redundancy? I would assume so.

MEP with third parties requires R80.30+ and use of DPD.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
No idea if that will work with AWS or not.

0 Kudos
Blason_R
MVP Gold
MVP Gold
‎2021-07-12 12:53 AM
In response to PhoneBoy

No VTI with BGP and I am sure Check Point does not support Failover or redundancy. Its becuase even if Check Point has multiple ISP interfaces the settings on VPN Link selection allows only IP address to negotiate with Peer and in this case there is only one IP address can be configured. Again once the tunnel is up between peers then VTI IP addresses negotiate route tables. 

Hence I am pretty sure VPN redundancy can not be achieved with VTI from Check Point end. I was wondering about policy based VPN using DPD.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Blason_R
MVP Gold
MVP Gold
‎2021-07-19 10:44 PM
In response to PhoneBoy

Hi,

Does MEP supports this solution? If Check Pont has multiple interfaces can we form the different tunnels using MEP?

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
PhoneBoy
Admin
Admin
‎2021-07-20 10:32 AM
In response to Blason_R

MEP doesn't necessarily allow this either, except for the remote end of the connection.
On the local end, you're still using the Link Selection setting.
The Link Selection setting can be used to specify the source IP based on the interface the traffic is routed out.

0 Kudos
Blason_R
MVP Gold
MVP Gold
‎2021-07-20 11:47 PM
In response to PhoneBoy

Correct - So if remote end has two links we can set it up using MEP but local end has dual link I really doubt we can switch the traffic over to other link if one of ISP at local end is down.

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
PhoneBoy
Admin
Admin
‎2021-07-21 03:45 PM
In response to Blason_R

Again, the Link Selection setting can be used to specify the source IP based on the interface traffic is routed out.
And ISP Redundancy (or some clever routing settings) can fail over to the other ISP.

But, again, you're way better off doing all this with BGP+VTI the way Amazon recommends.

0 Kudos
Blason_R
MVP Gold
MVP Gold
‎2021-07-21 08:47 PM
In response to PhoneBoy

Yes - However I am trying to achieve VPN redundancy with local gateway and all those settings specified on VPN link selection page are only applicable to RDP I believe not with DPD.

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
PhoneBoy
Admin
Admin
‎2021-07-21 08:51 PM
In response to Blason_R

With R80.30+ it should also apply to DPD, as far as I know.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events