This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Gomboragchaa
Advisor
‎2018-01-11 08:33 AM

Multiple VPN - MEP

How can i do VPN optik link with internet IPSec VPN.

May i use MEP? Which ip address become main IP of Cluster Checkpoints

0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2018-01-12 06:11 PM

MEP implies you have two VPN gateways responsible for the exact same locations.

That doesn't appear to be the case here, so MEP is not appropriate.

What you're probably after is Link Selection.

Refer to the VPN Site to Site docs: Site to Site VPN R80.10 - Part of Check Point Infinity 

Gomboragchaa
Advisor
‎2018-01-12 08:10 PM
In response to PhoneBoy

Thank you for your response. 

I tried Link Selection.

But it is cannot connecting concurrently vpn connections.

May i need to create VTI interface on checkpoint?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-01-12 09:14 PM
In response to Gomboragchaa

How did you configure Link Selection?

You can configure it in an HA mode (only one VPN link is active) or in a Load Sharing mode (both VPN links are active). 

Various scenarios and how to configure them are described in the documentation I linked above.

0 Kudos
Norbert_Bohusch
Advisor
‎2018-01-13 01:25 AM

Link Selection Probing relies on a Check Point proprietary protocol.

As your peers in branch location are Cisco ASA, this will not work, as far as I know!

PhoneBoy
Admin
Admin
‎2018-01-13 08:40 AM
In response to Norbert_Bohusch

Right and the documentation discusses how to deal with this.

0 Kudos
Gomboragchaa
Advisor
‎2018-01-19 01:21 AM
In response to Norbert_Bohusch

Thank you Norbert Bohusch.

Your right. I tested many times. It can connecting only Checkpoint gateways.

Do you have a any solution of my case? Please give me advice.

i am still finding convenient solution.

0 Kudos
KennyManrique
Advisor
‎2018-01-19 05:48 AM
In response to Gomboragchaa

Hi Gomboragchaa,

My recommendation is you update to R80.10 and use Route Based VPN (numbered) only with Branch-1 while maintaing Domain Based with the other two locations (only one link to them). Also would be convenient you change the ClusterXL mode to HA instead LS because the implications on tunnel establishment with remote peers according to ATRG: VPN Core and VPN Site-to-Site with 3rd party .

You will have to update your ASA device on Branch-1 to at least 9.7.1 version to support Route Based VPN deployments Release Notes for the Cisco ASA Series, 9.7(x) - Cisco

Regards.

Gomboragchaa
Advisor
‎2018-01-19 07:35 AM
In response to KennyManrique

Thank you for your advice Kenny Manrique‌,

Branch1's ASA Version 8.4(7)1. I am not sure to upgrade Cisco IOS and i think it is the best solution. I will inquire more for Route Based VPN.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events