This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SriNarasimha005
Collaborator
3 weeks ago
Jump to solution

Checkpoint IPSEC VPN with 2 different links

Hi There,

I'd like to setup checkpoint IPSEC VPN (Active/Standby) with 2 Cisco routers via 2 different links. Although these are Internal links, we've configured IPSEC for encryption and the interface addresses would be Internal.

I've attached the topology for better visualization.

Can we have IPSEC tunnel from CP to 2 different links? Please let me know.

Preview file
101 KB
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
3 weeks ago
In response to the_rock
Jump to solution

Considering the original poster is asking about this for internal links, I don't think ISPR is the right answer here.
You'll probably need the Enhanced Link Selection features in R82 to do this properly.
https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_SitetoSiteVPN_AdminGuide/Content/T... 

View solution in original post

16 Replies
TurgutKaplanogl
MVP
MVP
3 weeks ago
Jump to solution

Hello,

What is your GW and Management version?

Thanks

0 Kudos
SriNarasimha005
Collaborator
3 weeks ago
In response to TurgutKaplanogl
Jump to solution

Hi @TurgutKaplanogl 

Thanks for your reply. MDS is running in R82 and firewalls are in R81.20

Peer devices are Cisco routers configured on domain-based VPN using "match address <ACL>" under crypto-map.

0 Kudos
TurgutKaplanogl
MVP
MVP
3 weeks ago
In response to SriNarasimha005
Jump to solution

Hi @SriNarasimha005 

You can implement this sk for your environment;

How to configure Site-to-Site ISP Redundancy and Tunnel Management with Third-Party VPN Gateways

https://support.checkpoint.com/results/sk/sk184489

If you want to use domain based VPN, I can provide different method.

Thank you

SriNarasimha005
Collaborator
3 weeks ago
In response to TurgutKaplanogl
Jump to solution

Hi @TurgutKaplanogl 

Thanks for sharing it.

Can you please share it for a domain-based VPN?

0 Kudos
the_rock
MVP Diamond
MVP Diamond
3 weeks ago
In response to SriNarasimha005
Jump to solution

I will take a screenshot of how one of our clients has this configured for link selection and share it.

Best,
Andy
0 Kudos
the_rock
MVP Diamond
MVP Diamond
3 weeks ago
In response to the_rock
Jump to solution

@SriNarasimha005 

This is how we did it for them with high availability ISPR.

Screenshot_1.png

Best,
Andy
SriNarasimha005
Collaborator
3 weeks ago
In response to the_rock
Jump to solution

Hi @the_rock 

Many thanks for sharing the info. Can you please help to share the SK for domain-based VPN, so I don't miss any steps.😊

the_rock
MVP Diamond
MVP Diamond
3 weeks ago
In response to SriNarasimha005
Jump to solution

Not sure if there is an sk or not for domain based.

Best,
Andy
0 Kudos
SriNarasimha005
Collaborator
3 weeks ago
In response to the_rock
Jump to solution

Hi @PhoneBoy 

Need your help please.

the_rock
MVP Diamond
MVP Diamond
3 weeks ago
In response to SriNarasimha005
Jump to solution

In the meantime, maybe worth checking with TAC as well.

Best,
Andy
the_rock
MVP Diamond
MVP Diamond
3 weeks ago
In response to SriNarasimha005
Jump to solution

This is the closest one I could find.

https://support.checkpoint.com/results/sk/sk53980

Mind you, even sk @TurgutKaplanogl provided is probably relevant for domain based vpn tunnels, except you just need to modify vpn domains to proper ones, rather than empty group.

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
3 weeks ago
In response to the_rock
Jump to solution

Considering the original poster is asking about this for internal links, I don't think ISPR is the right answer here.
You'll probably need the Enhanced Link Selection features in R82 to do this properly.
https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_SitetoSiteVPN_AdminGuide/Content/T... 

SriNarasimha005
Collaborator
3 weeks ago
In response to PhoneBoy
Jump to solution

Hi @PhoneBoy 

Many thanks for sharing it.

Yup, they're MPLS/private links and we're using IPSEC (Domain-based) VPN for better security. CP would be having the Internal IP addresses. 

I don't see any SK article and below are the high-level steps. Can you please let me know if I miss anything?

1. Navigate to FW object and add both the Internal IP address which are connected to the private links

2. Create a Star VPN community

Center Gateway: Check Point ClusterXL.

Satellite Gateways: Both Cisco routers (define as interoperable devices).

3. VPN routing:

In the VPN community, set VPN Routing to "To center, or through the center to other satellites."

4. Go to Enhanced Link selection and select the Interfaces

5. Configure VPN domain, security policy as needed.

Also, can you pls let me know if DPD is enabled by default 

Verify Interface Availability.

  1. The Security Gateway uses Dead Peer Detection (DPD) to monitor the status of the interface.

  2. Ensure that DPD packets are being sent and received correctly to maintain the active status of the tunnel

 

 

(1)
PhoneBoy
Admin
Admin
2 weeks ago
In response to SriNarasimha005
Jump to solution

At a high level, that looks correct.
For new installs, DPD should be enabled by default: https://support.checkpoint.com/results/sk/sk108600 

the_rock
MVP Diamond
MVP Diamond
2 weeks ago
In response to SriNarasimha005
Jump to solution

Those steps look logical. I will say, sometimes, I end up putting interoperable object as center gateways if things dont work. Not often, but something to keep in mind.

Best,
Andy
SriNarasimha005
Collaborator
2 weeks ago
In response to PhoneBoy
Jump to solution

Hi @PhoneBoy 

Thanks for your help. May I request you to ask the relevant teams to prepare a SK relating to this?😊

Thank again.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events