Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Nickel

Numbered VTIs between 2 centrally managed CheckPoint clusters

Hi Checkmates,

I found some topics in this Community concerning VTIs, but all scenarios seem different to mine so I'm asking you guys for your insights.

We have 2 CheckPoint clusters, both centrally managed in the same SMS. One is Openserver R77.30, the other is a 1450 cluster R77.20.8x. In a normal situation, these sites communicate via MPLS. As a backup connection, we are required to configure an IPSEC site-to-site tunnel. To make failover (from MPLS to S2S) possible, I'm configuring VTI interfaces with routes with a higher metric.

I found some SKs about this (sk113735) and read "Configuring Numbered VTIs" in the Admin Guide but.

The Admin Guide describes how you create 1 VTI tunnel pair between the cluster and one gateway:

https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_SitetoSiteVPN_AdminGuide/34437.gif

 

But we need this:

tmpfig.jpg

 

 

 

 

1) VTI pair between memberA1 and memberB1

2) VTI pair between memberA1 and memberB2

3) VTI pair between memberA2 and memberB1

4) VTI pair between memberA2 and memberB2

But this creates two tunnels, making it impossible to create working routing.

Or am I missing something?

0 Kudos
3 Replies
Highlighted
Sapphire

I am puzzled a bit by your question: R77.30 could be a Load Sharing Cluster, the other is a 1450 cluster R77.20.8x that is only capable of HA Clustering, but despite that, a HA cluster consisting of two nodes has one external virtual cluster IP - so you only need one tunnel between the two external virtual cluster IPs.

 

.

0 Kudos
Highlighted
Nickel

Hmmm, actually this is more a question of how to configure the VTI interface between clusters:

(screenshot from sk113735)

Cluster1 we have (example IPs)

member1 vti local ip 10.10.10.10, remote ip 20.20.20.1

member2 vti local ip 10.10.10.11, remote ip 20.20.20.1

cluster VIP: 10.10.10.1

Cluster2:

member1 vti local ip 20.20.20.20, remote ip 10.10.10.1

member2 vti local ip 20.20.20.21, remote ip 10.10.10.1

cluster VIP: 20.20.20.1

I couldn't get it working like this, so I was guessing this config is wrong.

0 Kudos
Highlighted
Sapphire

You have  Site to Site VPN Administration Guide R80.30 and on p.83 you see: Configuring VTIs in a Clustered Environment - you only have to transfer the config to two clusters.

0 Kudos