Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jason_Tan
Explorer

IPSec VPN - Link Selection

Currently, I had two IPSec VPNs, using ISP A and B to go out, respectively on a third-party firewall. The peers were third-party firewalls too.

Assuming I wanted to migrate to Check Point firewall platform. Does Check Point firewall R80.10 support this kind of setup? If yes, where should I configure under IPSec VPN -> Link Selection subsection, on the firewall object?

Thank you.

12 Replies
HeikoAnkenbrand
Champion Champion
Champion

Configure Link Selection and ISP Redundancy in the Other > ISP Redundancy page of the Gateway object.

Or see VPN Pre-R80 Security Gateways with R80 Security Management under Link Selection.

Regards,

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Sorry, now the right link: Site to Site VPN R80.10 Administration Guide

Configure Link Selection:

>  Security Gateway Properties > IPsec VPN > Link Selection

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Timothy_Hall
Legend Legend
Legend

Assuming ISP A and ISP B are reachable through two separate physical interfaces on the firewall, you'll want to select "Calculate IP based on Network Topology" on the Link Selection page.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Danny
Champion Champion
Champion

In case the peers will continue to be third-party firewalls, Link Selection won't be an option for you, as it relies on a Check Point proprietary protocol. Then your only chance is to use VTIs. Read more here.

Maarten_Sjouw
Champion
Champion

Even with third party peers, you can use link selection, set the source to be based on the incoming connection.

ISP redundancy is another thing, but when the other side is capable of trying the other IP you can still use this setting.

Regards, Maarten
0 Kudos
Pathy
Participant

Interessing post

Maarten Sjouw‌ can you please elaborate your last comment.

I have a lof of existing s2s via one ISP and I want to test for one third party peer, s2s vpn using one new second ISP line.

Thank you 

0 Kudos
Maarten_Sjouw
Champion
Champion

About 2 years ago I was in the works to change the external IP of one of our customers and they had quite some 3rd party VPN's (s2s) with other vendor equipment. To arrange a big bang change when you have 5 or more 3rd parties involved located all over the world, you know this will be impossible to achieve. What we came up with was a 2 month period in which we moved all the 3rd parties one by one.

How? Well quite simple actually. first setting to change is the link selection Source IP address setting, (in R77.30 it was also possible to setup the outgoing interface) to Manual and set it to IP Address of chosen interface.

In the OS routing table the default route is either of the 2 ISP's. In our case we direct those IP's of the remote site's to the correct interface, this way the traffic will go out the right interface and use the IP of that ISP. The other side will also use that specific IP to build the tunnel.

Regards, Maarten
Pathy
Participant

Oh great!

Thank you Maarten. It's very clear and I planned to do it like you did 

0 Kudos
Timothy_Fan
Participant

We have setup ISP redundancy and it seems work bcs we can connect the 2nd ISP IP with smartconsole. However, the VPN is not working. Even i have choose the "Selected address from topology table" IP to the 2nd ISP IP. The log from another side firewall reported "IKE Initiator: Proposed IKE ID mismatch" and further log shows "VPN Policy: VPN_Office2; Local ID: 2nd ISP IP; Remote ID: 1st ISP IP. The checkpoint still answering the 1st ISP IP as and ID. How come ? THX

0 Kudos
SamiH
Contributor


@Maarten_Sjouw wrote:

About 2 years ago I was in the works to change the external IP of one of our customers and they had quite some 3rd party VPN's (s2s) with other vendor equipment. To arrange a big bang change when you have 5 or more 3rd parties involved located all over the world, you know this will be impossible to achieve. What we came up with was a 2 month period in which we moved all the 3rd parties one by one.

How? Well quite simple actually. first setting to change is the link selection Source IP address setting, (in R77.30 it was also possible to setup the outgoing interface) to Manual and set it to IP Address of chosen interface.

In the OS routing table the default route is either of the 2 ISP's. In our case we direct those IP's of the remote site's to the correct interface, this way the traffic will go out the right interface and use the IP of that ISP. The other side will also use that specific IP to build the tunnel.


Hi, I am currently in a same kind of situation and wanted to make sure I understood correctly. Ipsec VPN | Link selection page shows first IP Selection by Remote Peer. Should that be Calculate IP based on network topology? All others seem to be impossible solutions, when s2s connections would arrive in two interfaces.

Check Point manual recommends route based probing when using multiple ISP's for s2s's, but did you use just the OS routing table + source ip address setting of "IP address of chosen interface"?

0 Kudos
Kevin_Zeitler
Contributor

Hi SamiH,

Did you ever get ISP redundancy working with Checkpoint and third party VPN?

If so what settings did you use for link selection?

0 Kudos
Wolfgang
Authority
Authority

@Kevin_Zeitler 

Look at ISP Redundancy "Apply settings for VPN traffic" is not working with 3rd party vendors 

But you can probe the availability of your remote third party vpn gateway with enabling of DeadPeerDetection (DPD)

VPN redundancy does not work when establishing an IPsec VPN Tunnel with a third-party peer 

Wolfgang

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events