cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

IPSEC Dynamic Routing with SmartProvisioning

Hello,

 

at the moment we are working on a concept to introduce a dynamic routing concept within our IPSEC Environment.

We have a lot of SMB Devices (1400 Boxes) which will be centrally administrated with SmartProvisioning Profiles.

Our Sites Team wants a concept were every SMB Device has a VPN Tunnel to each other to allow direct data exchange between the sites with a dynamic routing protocol behind (like OSPF). We think we need something like a VPN Mesh Community but there I can't add LSM - Profiles as "participating gateways".

I also created a view about our current concept and the future concept (see attachments).

 

I hope that anyone has a good idea how we can concept that because I don't want to switch our IPSEC VPN Solution to another vendor...

 

Thanks.

 

Florian

 

0 Kudos
4 Replies
Highlighted
Gold

Re: IPSEC Dynamic Routing with SmartProvisioning

Florian,

SmartLSM profiles as meshed center gateways is not possible. This configuration does not work and is not supported.

That's why you can't add your LSM profile.

If you want to get connectivity beetween the networks behind your 14xx  you have to use VPN routing via the central CO-gateway. You are doing this now via VTIs.

We had this running without VTI. It works with the normal VPN-routing configuration of the VPN community. Only if you have none SmartLSM gateways as satellites you have to follow VPN Routing does not work and traffic to other satellites leaves in "clear" when setting up SmartLSM... . No static routes and if remote 14xx gateways changing there external IPs the CO-gateway is learning these.

I think direct VPN connections (meshed) between your 14xx gateways is only possible if you are not using SmartLSM profiles and having all 14xx gateways as normal gateways defined SmartConsole.

With SmartLSM profiles you have to use VPN routing.

Wolfgang

0 Kudos
Highlighted

Re: IPSEC Dynamic Routing with SmartProvisioning

Hello Wolfgang,

 

thank you for that information.

 

<<I think direct VPN connections (meshed) between your 14xx gateways is only possible if you are not using SmartLSM profiles and having all 14xx gateways as normal gateways defined SmartConsole.>>

Would be really bad if Checkpoint won't support that with SmartLSM. 😞

 

It's not our concept to have a lot of 1400 Gateways configured without LSM - Profile because there are some management limitations which are very poor.

As example installing FW Policy on more > 10 Gateways in parallel will timeout on the management server and does not work. That's really a big issue for us when you need to push a policy change to 100 gateways....

 

As routing protocol did you use OSPF?

 

Regards

 

 

Florian

 

0 Kudos
Highlighted
Gold

Re: IPSEC Dynamic Routing with SmartProvisioning

I  know the limitation of handling a large numbers of small appliances 😪 That's why SmartLSM is your tool.

 

No OSPF is needed.

Routing via the central CO-gateway does not need any dynamic routing protocol nor static-routes to the networks behinds your 14xx gateways. The routing is done via the routing capability of your vpn community.

Why do you need the direct connection between your gateways ?

Wolfgang

0 Kudos
Highlighted

Re: IPSEC Dynamic Routing with SmartProvisioning

Hello Wolfgang,

 

<<Routing via the central CO-gateway does not need any dynamic routing protocol nor static-routes to the networks behinds your 14xx gateways. The routing is done via the routing capability of your vpn community.>>

 

We used RouteBasedVPN with Tunnel Interfaces and with this configuration we need OSPF.

After your last post I did change my concept (see attachment).

I think we should concept more then one Firewall as CO - Gateway and add all of the CO - Gateways as Center Firewall to the VPN Community.

That should match our requirements for the most use cases. Via OSPF the best route to the destination network should be automatically selected. If one CO Gateway is down routing should switch to one of the other CO Gateways.

 

Has anyone this tried before to add more than one CO Gateway as Center Firewall to the same community?

 

Regards

 

 

Florian

0 Kudos