- CheckMates
- :
- Products
- :
- General Topics
- :
- Numbered VTIs between 2 centrally managed CheckPoi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Numbered VTIs between 2 centrally managed CheckPoint clusters
Hi Checkmates,
I found some topics in this Community concerning VTIs, but all scenarios seem different to mine so I'm asking you guys for your insights.
We have 2 CheckPoint clusters, both centrally managed in the same SMS. One is Openserver R77.30, the other is a 1450 cluster R77.20.8x. In a normal situation, these sites communicate via MPLS. As a backup connection, we are required to configure an IPSEC site-to-site tunnel. To make failover (from MPLS to S2S) possible, I'm configuring VTI interfaces with routes with a higher metric.
I found some SKs about this (sk113735) and read "Configuring Numbered VTIs" in the Admin Guide but.
The Admin Guide describes how you create 1 VTI tunnel pair between the cluster and one gateway:
But we need this:
1) VTI pair between memberA1 and memberB1
2) VTI pair between memberA1 and memberB2
3) VTI pair between memberA2 and memberB1
4) VTI pair between memberA2 and memberB2
But this creates two tunnels, making it impossible to create working routing.
Or am I missing something?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am puzzled a bit by your question: R77.30 could be a Load Sharing Cluster, the other is a 1450 cluster R77.20.8x that is only capable of HA Clustering, but despite that, a HA cluster consisting of two nodes has one external virtual cluster IP - so you only need one tunnel between the two external virtual cluster IPs.
.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmmm, actually this is more a question of how to configure the VTI interface between clusters:
(screenshot from sk113735)
Cluster1 we have (example IPs)
member1 vti local ip 10.10.10.10, remote ip 20.20.20.1
member2 vti local ip 10.10.10.11, remote ip 20.20.20.1
cluster VIP: 10.10.10.1
Cluster2:
member1 vti local ip 20.20.20.20, remote ip 10.10.10.1
member2 vti local ip 20.20.20.21, remote ip 10.10.10.1
cluster VIP: 20.20.20.1
I couldn't get it working like this, so I was guessing this config is wrong.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have Site to Site VPN Administration Guide R80.30 and on p.83 you see: Configuring VTIs in a Clustered Environment - you only have to transfer the config to two clusters.
