Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jacques_Spelier
Contributor

How can I setup a primary and backup S2S VPN tunnels

Scenario:

      1 local Checkpoint R80.10 gateway cluster (site L1) need to establish a primary site to site tunnel to remote Fortinet gateway (site R1) having HostA and HostB. A secondary remote site (R2) exists housing HostC sync'ed from R1 HostA. There is "link" between R1 and R2 managed by the Vendor. L1 gateway needs to have backup/secondary site to site tunnel to R2 in the event R1 gateway is not available.

Users behind L1 access HostA and HostB through primary tunnel to R1. Users behind L1 access HostC at R2 via primary tunnel to R1 and then link to R2.

Question: For us to have automatic failover of traffic destined to HostA, HostB and HostC to flow over the secondary tunnel, would configuring  route statements on the gateway's OS with different priority work?

                  hostA  nexthop gw X    priority1  (flows over tunnel to R1)

                  hostA  nexthop gw Y    priority2  (flows over tunnel to R2)

Would the gw IP be the actual Fortinet IP or would it be an IP within the tunnel?

Note: This setup would be extended to another local site (L2) to provide redundancy in the event of losing L1.

Thanks.

8 Replies
PhoneBoy
Admin
Admin

If you want the routing table to determine priority, you need to configure the VPN with VTIs.

See the Route-Based VPN section of: Site to Site VPN R80.10 - Part of Check Point Infinity 

VENKAT_S_P
Collaborator

Seems like the configs shown under "Configuring member_GWA1" needs correction.

Site to Site VPN R80.10 Administration Guide 

================

--------- Add vt-GWb

VPN shell:[/] > /interface/add/numbered 10.0.1.11 10.0.0.2 GWb 
Interface 'vt-GWb' was added successfully to the system
--------- Add vt-GWc
VPN shell:[/] > /interface/add/numbered 10.0.1.21 10.0.0.3 GWc     
Interface 'vt-GWc' was added successfully to the system

================

I checked one for R77 and found the same.

Route Based VPN 

0 Kudos
Danny
Champion Champion
Champion

You could also check if Domain Based VPN with Link Selection and Probing might be a solution for you.

KennyManrique
Advisor

Hello Danny,

I think Link Selection with Probing will not work in this case since there is a Fortinet device on the remote end.

This setting only work when you have another Check Point devices managed by the same security management, so at the policy install you are telling them to use RDP Probing to test the addresses on the list.

Dameon's recommendation of using Route Based VPN will be more adequate to this scenario. Since Fortinet supports this technology, the most adequate approach is use Numbered VTI. This way all the encryption is made according to the routing table and can define different priorities for the traffic. Also there is the advantage he's using R80.10, so Route Based VPN works without disabling CoreXL.

Regards.

Danny
Champion Champion
Champion

You are absolutely right as Link Selection Probing relies on a Check Point proprietary protocol. I was just giving a more open answer to others reading this sometimes being in a similar situation. In cases where you are limited to Domain Based VPN (e.g. VSX users - sk110519, sk30975, sk79700) your only choice is to evaluate and go with Link Selection. If your VPN partner doesn't have a Check Point solution you might need to set up a dedicated Non-VSX VPN Gatetway and use VTIs or please your VPN partner to use Check Point .

Albert_Wilkes
Collaborator

While probing is likely to fail using CP proprietary RDP with 3rd party devices, there is some value in link selection. Rather than relying on RDP to find the path, you could rely on the 3rd party device decision as discussed here as well:
https://community.checkpoint.com/t5/General-Topics/IPSec-VPN-Link-Selection/m-p/10729/highlight/true...
If you can get the remote peer to establish the session first you should be golden using "reply from same interface".
0 Kudos
VENKAT_S_P
Collaborator

Can i configure both numbered and unnumbered VTI on the same box?

unnumbered with ospf and numbered with bgp?

Just to Note: according to R80.10 admin guide it says 1-99 VTI, but when checked it can scale up to  0..32768.

0 Kudos
Jacques_Spelier
Contributor

Thanks everyone for the useful feedback. Any concerns with the same local gateways terminating other different VPNs in a different configuration? more than 3 communities,some mesh, some star.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events