This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Chinmaya_Naik
Advisor
‎2019-01-08 11:55 PM
Jump to solution

MPLS (Cleartext) and Internet (IPSec VPN) Failover

Dear Team,

Please find the below image.

Our requirement is to provide redundancy between MPLS and IPSec VPN.

Please suggest us any usecase so we can achive.

Thanks In AdvancedSmiley Happy

#Chinmaya Naik

0 Kudos
1 Solution

Accepted Solutions
Sam2
Contributor
‎2022-11-17 12:17 PM
Jump to solution

We use OSPF for this exact design. A high-level implementation would be:

1. Have your firewalls advertise a default route and have the MPLS routers advertise your internal networks for each office, be sure to change the metric of the default route advertisement so that one firewall doesn't take the internet for both offices
2. configure a VPN between the firewalls, route-based or domain based,  and either define routing for them or define their respective encryption domains 

If the MPLS fails the default route from the local firewall will be the only route in the office so traffic will go to the firewall and hit your vpn config

If the internet fails over the default route from the MPLS will come through and all office traffic will take the MPLS until the internet is restored 

View solution in original post

0 Kudos
11 Replies
G_W_Albrecht
Legend Legend
Legend
‎2019-01-09 12:53 AM
Jump to solution

Do you know this one here: sk56384: How To Create a Redundant, Service-based MPLS/Encrypted Link VPN ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Chinmaya_Naik
Advisor
‎2019-01-09 12:59 AM
In response to G_W_Albrecht
Jump to solution

Thanks Günther W. Albrecht‌ 

Yes i already go through this SK 56384 .

So is this working on our scenario.

#Chinmaya Naik

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-01-09 04:08 AM
In response to Chinmaya_Naik
Jump to solution

When you have the possibility to have the MPLS routers to build a VPN over the internet to the other location, this would solve your problems. You would need to have a additional external IP on both FW's to be able to statically NAT those to the routers, only allow the routers access to each other and setup the external IP for the other router to route through the local FW to internet. This way both paths can be used and controlled by the router.

Regards, Maarten
0 Kudos
Chinmaya_Naik
Advisor
‎2019-01-09 05:17 AM
In response to Maarten_Sjouw
Jump to solution

Thanks Maarten Sjouw

‌I am not got your point.

Canyou please simplify. 

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-01-09 11:24 AM
In response to Chinmaya_Naik
Jump to solution

Take your drawing and extend the VPN through the 1400 's and attach directly to the routers.  So let your routers build the VPN through the FW's and Internet. now you have the MPLS Path and the VPN path between the 2 routers, Routing will then need to be set that the MPLS is the better path and when that fails it will use the VPN path.

Regards, Maarten
0 Kudos
Norbert_Bohusch
Advisor
‎2019-01-09 06:12 AM
In response to Chinmaya_Naik
Jump to solution

It will work if all necessary routes for all networks are available on MPLS routers.


0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2019-01-09 06:38 AM
Jump to solution

I have one problem - i do just not see any question here...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PankajTiwari1
Explorer
‎2022-11-16 08:48 PM
In response to G_W_Albrecht
Jump to solution

I AM also facing same issue. according to SK 56384 it providing the load sharing and i just required high availability on MPLS (Clear Text) to IPSEC (Encrypted text). Please help me :).

0 Kudos
Sam2
Contributor
‎2022-11-17 12:17 PM
Jump to solution

We use OSPF for this exact design. A high-level implementation would be:

1. Have your firewalls advertise a default route and have the MPLS routers advertise your internal networks for each office, be sure to change the metric of the default route advertisement so that one firewall doesn't take the internet for both offices
2. configure a VPN between the firewalls, route-based or domain based,  and either define routing for them or define their respective encryption domains 

If the MPLS fails the default route from the local firewall will be the only route in the office so traffic will go to the firewall and hit your vpn config

If the internet fails over the default route from the MPLS will come through and all office traffic will take the MPLS until the internet is restored 

0 Kudos
PankajTiwari1
Explorer
‎2022-11-17 08:55 PM
In response to Sam2
Jump to solution

Dear SAM,

 

Thanks For your reply. i understand you are using Dynamic routing and i am using static routing. Please help me to provide the OSPF configuration senior so i can configure the same. Thanks:)

0 Kudos
Sam2
Contributor
‎2022-11-18 09:19 AM
In response to PankajTiwari1
Jump to solution

I wont be able to supply config, you should reach out to a partner or checkpoint for help with an actual implementation if you are having problems so they could support any issues that arise

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events