Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hi Checkmates,
I found some topics in this Community concerning VTIs, but all scenarios seem different to mine so I'm asking you guys for your insights.
We have 2 CheckPoint clusters, both centrally managed in the same SMS. One is Openserver R77.30, the other is a 1450 cluster R77.20.8x. In a normal situation, these sites communicate via MPLS. As a backup connection, we are required to configure an IPSEC site-to-site tunnel. To make failover (from MPLS to S2S) possible, I'm configuring VTI interfaces with routes with a higher metric.
I found some SKs about this (sk113735) and read "Configuring Numbered VTIs" in the Admin Guide but.
The Admin Guide describes how you create 1 VTI tunnel pair between the cluster and one gateway:
But we need this:
1) VTI pair between memberA1 and memberB1
2) VTI pair between memberA1 and memberB2
3) VTI pair between memberA2 and memberB1
4) VTI pair between memberA2 and memberB2
But this creates two tunnels, making it impossible to create working routing.
Or am I missing something?
Hmmm, actually this is more a question of how to configure the VTI interface between clusters:
(screenshot from sk113735)
Cluster1 we have (example IPs)
member1 vti local ip 10.10.10.10, remote ip 20.20.20.1
member2 vti local ip 10.10.10.11, remote ip 20.20.20.1
cluster VIP: 10.10.10.1
Cluster2:
member1 vti local ip 20.20.20.20, remote ip 10.10.10.1
member2 vti local ip 20.20.20.21, remote ip 10.10.10.1
cluster VIP: 20.20.20.1
I couldn't get it working like this, so I was guessing this config is wrong.
