cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Jason_Tan
Ivory

IPSec VPN - Link Selection

Currently, I had two IPSec VPNs, using ISP A and B to go out, respectively on a third-party firewall. The peers were third-party firewalls too.

Assuming I wanted to migrate to Check Point firewall platform. Does Check Point firewall R80.10 support this kind of setup? If yes, where should I configure under IPSec VPN -> Link Selection subsection, on the firewall object?

Thank you.

8 Replies

Re: IPSec VPN - Link Selection

Configure Link Selection and ISP Redundancy in the Other > ISP Redundancy page of the Gateway object.

Or see VPN Pre-R80 Security Gateways with R80 Security Management under Link Selection.

Regards,

Heiko

0 Kudos

Re: IPSec VPN - Link Selection

Sorry, now the right link: Site to Site VPN R80.10 Administration Guide

Configure Link Selection:

>  Security Gateway Properties > IPsec VPN > Link Selection

Regards

Heiko

0 Kudos

Re: IPSec VPN - Link Selection

Assuming ISP A and ISP B are reachable through two separate physical interfaces on the firewall, you'll want to select "Calculate IP based on Network Topology" on the Link Selection page.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
Danny
Pearl

Re: IPSec VPN - Link Selection

In case the peers will continue to be third-party firewalls, Link Selection won't be an option for you, as it relies on a Check Point proprietary protocol. Then your only chance is to use VTIs. Read more here.

Re: IPSec VPN - Link Selection

Even with third party peers, you can use link selection, set the source to be based on the incoming connection.

ISP redundancy is another thing, but when the other side is capable of trying the other IP you can still use this setting.

Regards, Maarten
0 Kudos

Re: IPSec VPN - Link Selection

Interessing post

Maarten Sjouw‌ can you please elaborate your last comment.

I have a lof of existing s2s via one ISP and I want to test for one third party peer, s2s vpn using one new second ISP line.

Thank you 

0 Kudos

Re: IPSec VPN - Link Selection

About 2 years ago I was in the works to change the external IP of one of our customers and they had quite some 3rd party VPN's (s2s) with other vendor equipment. To arrange a big bang change when you have 5 or more 3rd parties involved located all over the world, you know this will be impossible to achieve. What we came up with was a 2 month period in which we moved all the 3rd parties one by one.

How? Well quite simple actually. first setting to change is the link selection Source IP address setting, (in R77.30 it was also possible to setup the outgoing interface) to Manual and set it to IP Address of chosen interface.

In the OS routing table the default route is either of the 2 ISP's. In our case we direct those IP's of the remote site's to the correct interface, this way the traffic will go out the right interface and use the IP of that ISP. The other side will also use that specific IP to build the tunnel.

Regards, Maarten

Re: IPSec VPN - Link Selection

Oh great!

Thank you Maarten. It's very clear and I planned to do it like you did 

0 Kudos