Checkpoint IPSEC VPN with 2 different links

SriNarasimha005

Hi There,

I'd like to setup checkpoint IPSEC VPN (Active/Standby) with 2 Cisco routers via 2 different links. Although these are Internal links, we've configured IPSEC for encryption and the interface addresses would be Internal.

I've attached the topology for better visualization.

Can we have IPSEC tunnel from CP to 2 different links? Please let me know.

TurgutKaplanogl

Hello,

What is your GW and Management version?

Thanks

SriNarasimha005

Hi @TurgutKaplanogl

Thanks for your reply. MDS is running in R82 and firewalls are in R81.20

Peer devices are Cisco routers configured on domain-based VPN using "match address <ACL>" under crypto-map.

TurgutKaplanogl

Hi @SriNarasimha005

You can implement this sk for your environment;

How to configure Site-to-Site ISP Redundancy and Tunnel Management with Third-Party VPN Gateways

https://support.checkpoint.com/results/sk/sk184489

If you want to use domain based VPN, I can provide different method.

Thank you

SriNarasimha005

Hi @TurgutKaplanogl

Thanks for sharing it.

Can you please share it for a domain-based VPN?

the_rock

I will take a screenshot of how one of our clients has this configured for link selection and share it.

Best,
Andy

the_rock

@SriNarasimha005

This is how we did it for them with high availability ISPR.

Best,
Andy

SriNarasimha005

Hi @the_rock

Many thanks for sharing the info. Can you please help to share the SK for domain-based VPN, so I don't miss any steps.😊

the_rock

Not sure if there is an sk or not for domain based.

Best,
Andy

SriNarasimha005

Hi @PhoneBoy

Need your help please.

the_rock

In the meantime, maybe worth checking with TAC as well.

Best,
Andy

the_rock

This is the closest one I could find.

https://support.checkpoint.com/results/sk/sk53980

Mind you, even sk @TurgutKaplanogl provided is probably relevant for domain based vpn tunnels, except you just need to modify vpn domains to proper ones, rather than empty group.

Best,
Andy

PhoneBoy

Considering the original poster is asking about this for internal links, I don't think ISPR is the right answer here.
You'll probably need the Enhanced Link Selection features in R82 to do this properly.
https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_SitetoSiteVPN_AdminGuide/Content/T...

SriNarasimha005

Hi @PhoneBoy

Many thanks for sharing it.

Yup, they're MPLS/private links and we're using IPSEC (Domain-based) VPN for better security. CP would be having the Internal IP addresses.

I don't see any SK article and below are the high-level steps. Can you please let me know if I miss anything?

1. Navigate to FW object and add both the Internal IP address which are connected to the private links

2. Create a Star VPN community

Center Gateway: Check Point ClusterXL.

Satellite Gateways: Both Cisco routers (define as interoperable devices).

3. VPN routing:

In the VPN community, set VPN Routing to "To center, or through the center to other satellites."

4. Go to Enhanced Link selection and select the Interfaces

5. Configure VPN domain, security policy as needed.

Also, can you pls let me know if DPD is enabled by default

Verify Interface Availability.

The Security Gateway uses Dead Peer Detection (DPD) to monitor the status of the interface.
Ensure that DPD packets are being sent and received correctly to maintain the active status of the tunnel

PhoneBoy

At a high level, that looks correct.
For new installs, DPD should be enabled by default: https://support.checkpoint.com/results/sk/sk108600

Are you a member of CheckMates?

Checkpoint IPSEC VPN with 2 different links

How to configure Site-to-Site ISP Redundancy and Tunnel Management with Third-Party VPN Gateways