Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Multiple VPN - MEP

How can i do VPN optik link with internet IPSec VPN.

May i use MEP? Which ip address become main IP of Cluster Checkpoints

0 Kudos
8 Replies
Highlighted
Admin
Admin

Re: Multiple VPN - MEP

MEP implies you have two VPN gateways responsible for the exact same locations.

That doesn't appear to be the case here, so MEP is not appropriate.

What you're probably after is Link Selection.

Refer to the VPN Site to Site docs: Site to Site VPN R80.10 - Part of Check Point Infinity 

Highlighted

Re: Multiple VPN - MEP

Thank you for your response. 

I tried Link Selection.

But it is cannot connecting concurrently vpn connections.

May i need to create VTI interface on checkpoint?

0 Kudos
Highlighted
Admin
Admin

Re: Multiple VPN - MEP

How did you configure Link Selection?

You can configure it in an HA mode (only one VPN link is active) or in a Load Sharing mode (both VPN links are active). 

Various scenarios and how to configure them are described in the documentation I linked above.

0 Kudos
Highlighted

Re: Multiple VPN - MEP

Link Selection Probing relies on a Check Point proprietary protocol.

As your peers in branch location are Cisco ASA, this will not work, as far as I know!

Highlighted
Admin
Admin

Re: Multiple VPN - MEP

Right and the documentation discusses how to deal with this.

0 Kudos
Highlighted

Re: Multiple VPN - MEP

Thank you Norbert Bohusch.

Your right. I tested many times. It can connecting only Checkpoint gateways.

Do you have a any solution of my case? Please give me advice.

i am still finding convenient solution.

0 Kudos
Highlighted

Re: Multiple VPN - MEP

Hi Gomboragchaa,

My recommendation is you update to R80.10 and use Route Based VPN (numbered) only with Branch-1 while maintaing Domain Based with the other two locations (only one link to them). Also would be convenient you change the ClusterXL mode to HA instead LS because the implications on tunnel establishment with remote peers according to ATRG: VPN Core and VPN Site-to-Site with 3rd party .

You will have to update your ASA device on Branch-1 to at least 9.7.1 version to support Route Based VPN deployments Release Notes for the Cisco ASA Series, 9.7(x) - Cisco

Regards.

Highlighted

Re: Multiple VPN - MEP

Thank you for your advice Kenny Manrique‌,

Branch1's ASA Version 8.4(7)1. I am not sure to upgrade Cisco IOS and i think it is the best solution. I will inquire more for Route Based VPN.