This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Digo11
Contributor
‎2023-07-11 08:00 PM

IPsec S2S VPN Failover With 3rd Party Peer

Hello Community.

Greetings to all.

I have a single 6700 R81.10 SG with an SMS in VM as the distributed deployment.  I have two ISPs configured and defined as an external zone. I want to achieve IPsec tunnel failover, that is when ISP1 goes down, the tunnel should work through ISP2.

ISP redundancy is working properly. I have two default routes via ISP1 and ISP2 with different priorities. When ISP1 is down, traffic passes through ISP2.

I have configured two IPsec site-to-site VPNs using Mesh Topology. Initially, both the tunnels show up and I can reach to remote peer encryption domain (Internal Network) via the primary link or tunnel. 

ISP1: 10.11.200.10 (GW 10.11.200.1)                        Default Route: 0.0.0.0 via 10.11.200..1 priority 1

ISP2: 192.168.6.90 (GW 192.168.6.1)                        Default Route: 0.0.0.0 via 192.168.6.1 priority 4

IPsec VPN Primary:    ISP1 - 10.11.200.10              Remote Peer - 192.168.3.99

IPsec VPN Secondary ISP2  -192.168.6.90              Remote Peer - 192.168.244.75

The Problem: When I manually shut ISP1 interface the traffic does flow via ISP2 but the IPsec tunnel does not come up. I can not reach to remote peer encryption domain (Internal Network). CP still tries to answer the remote peer request using the same ISP1 I guess, When I enable the ISP1 the connection works fine again.

Tried every bit in the IPsec Link Selection section but no progress. Followed this guide https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_NextGenSecurityGateway_Guide/Topic... but no luck.

Any guidance will be really helpful.

 

Thank you.

Digo.

0 Kudos
5 Replies
Blason_R
Leader
Leader
‎2023-07-11 09:05 PM

Is this policy based tunnel or route based tunnels? What does your settings show on IPSev VPN -> Link Selection?

Have you selected specific IP there?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Digo11
Contributor
‎2023-07-11 09:30 PM
In response to Blason_R

Hi @Blason_R 

It's a Policy-based tunnel. IPsec link selection and ISP redundancy is configured as attached.

 

Regards,

Digo.

Preview file
62 KB
Preview file
60 KB
0 Kudos
Digo11
Contributor
‎2023-07-12 11:06 PM
In response to Digo11

Hello Community.

Can someone please guide me through the steps for getting the IPsec S2S tunnel failover done? I tried policy-based and route-based VPNs but the issue remains the same, the traffic does not switch to the secondary ISP or Tunnel in case the primary is down.

@Chris_Atkinson  @Timothy_Hall @PhoneBoy @the_rock 

0 Kudos
Blason_R
Leader
Leader
‎2023-07-12 11:09 PM
In response to Digo11

Actually its a limitation for sure and I have been struggling with this. However you can try with MEP feature and I used this in past but I still could not achieve it completely.

So if you ask me - it can not be achieved seamelessely.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Digo11
Contributor
‎2023-07-12 11:29 PM
In response to Blason_R

Hi @Blason_R 

Thanks for the quick info. Various SK suggests it is achievable and I followed many of them (sk164355 sk53980 sk108600) and the Site to Site VPN R81.10 Administration Guide too. But none seemed to be helpful. I don't know if I am missing something here configuration-wise or if the flow is not correct.

Thanks,

Digo.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events