This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Philip_W
Contributor
‎2019-07-11 06:17 AM

Numbered VTIs between 2 centrally managed CheckPoint clusters

Hi Checkmates,

I found some topics in this Community concerning VTIs, but all scenarios seem different to mine so I'm asking you guys for your insights.

We have 2 CheckPoint clusters, both centrally managed in the same SMS. One is Openserver R77.30, the other is a 1450 cluster R77.20.8x. In a normal situation, these sites communicate via MPLS. As a backup connection, we are required to configure an IPSEC site-to-site tunnel. To make failover (from MPLS to S2S) possible, I'm configuring VTI interfaces with routes with a higher metric.

I found some SKs about this (sk113735) and read "Configuring Numbered VTIs" in the Admin Guide but.

The Admin Guide describes how you create 1 VTI tunnel pair between the cluster and one gateway:

https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_SitetoSiteVPN_AdminGuide/34437.gif

 

But we need this:

tmpfig.jpg

 

 

 

 

1) VTI pair between memberA1 and memberB1

2) VTI pair between memberA1 and memberB2

3) VTI pair between memberA2 and memberB1

4) VTI pair between memberA2 and memberB2

But this creates two tunnels, making it impossible to create working routing.

Or am I missing something?

0 Kudos
3 Replies
G_W_Albrecht
Legend Legend
Legend
‎2019-07-12 01:03 AM

I am puzzled a bit by your question: R77.30 could be a Load Sharing Cluster, the other is a 1450 cluster R77.20.8x that is only capable of HA Clustering, but despite that, a HA cluster consisting of two nodes has one external virtual cluster IP - so you only need one tunnel between the two external virtual cluster IPs.

 

.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Philip_W
Contributor
‎2019-07-12 02:10 AM
In response to G_W_Albrecht

Hmmm, actually this is more a question of how to configure the VTI interface between clusters:

(screenshot from sk113735)

Cluster1 we have (example IPs)

member1 vti local ip 10.10.10.10, remote ip 20.20.20.1

member2 vti local ip 10.10.10.11, remote ip 20.20.20.1

cluster VIP: 10.10.10.1

Cluster2:

member1 vti local ip 20.20.20.20, remote ip 10.10.10.1

member2 vti local ip 20.20.20.21, remote ip 10.10.10.1

cluster VIP: 20.20.20.1

I couldn't get it working like this, so I was guessing this config is wrong.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2019-07-12 02:56 AM
In response to Philip_W

You have  Site to Site VPN Administration Guide R80.30 and on p.83 you see: Configuring VTIs in a Clustered Environment - you only have to transfer the config to two clusters.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events