Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
elapuente
Explorer

Question about vpn/ipsec on external interface with private addresses

Hello everyone!!!

We ask for the community help for solving the following configuration.

First of all, we have an ISP cluster of routers and a Checkpoint cluster. It's a very simple configuration. There is a /29 public IPs that the ISP routes to checkpoint.

ISP routers and Checkpoint are connected via a routing network, with private address (10.100.250.0/24).

So, 10.100.250.1,2,3 are the IPs on routers side, and 10.100.250.252,253,254 are the checkpoint cluster addresses. The ISP routes the public range to ip 10.100.250.254 (checkpoint virtual ip).

There is no public address on the checkpoint cluster. We have some services published with some NAT rules.

But, we want to enable the Mobile portal, and be able to create site-to-site IPSec tunnel.

The problem we have is that we cannot make "https://<publicip>/sslvpn" URL work, because there is no public ip on the Checkpoint. We cannot make NAT 1-to-1 for the firewall itself. We tried with Proxy ARP, with no success. It worked with an interface alias on one of the checkpoint, but it's not supported with ClusterXL (and cannot add another virtual ip on the external interface).

There is two possible solutions (changing interconnect network):

- 3 public ips on checkpoint cluster external interfaces and 3 public ips on router cluster

- 1 public ips on checkpoint cluster external interfaces and 3 public ips on router cluster (sk32073)

But we only have 6 public IPs, and don't want to wasted on the routing network.

is there anyone with a similar configuration?

Thank you in advance for the help!!

Best regards,

0 Kudos
7 Replies
Wolfgang
Authority
Authority

@elapuente 

add a new dummy clusterinterface.
You can use private IPs for the cluster members IP addresses and use one of the public IPs with /32 as virtual cluster IP. You don't need to add any routes. No traffic will be leaving this interface, but the local services are listen on this IP.

Wolfgang

0 Kudos
elapuente
Explorer

Thank you @Wolfgang , it make sense

What do you mean with a dummy cluster interface? a unused VLAN interface for example?

Best regards

 

0 Kudos
Wolfgang
Authority
Authority

Yes @elapuente ,

we did this with a new VLAN interface. There is no need to use  a physical interface.

You need an interface defined on the cluster with one of the public IPs.

Wolfgang

0 Kudos
AnujPratap
Participant

Hi Wolfgang,

We have a similar setup. but doesn't have VLAN interface on firewall external interface. So can we define Public IP on Cluster IP and Gateway nodes remain as "none". Will that work?

-> CP External Int connected to Internet Router

-> But we don't have any VLAN interface on CP External Int firewall.

 

VPN Gateway ------->  Internet-----> Internet Router -----> Checkpoint FW / VPN

0 Kudos
Wolfgang
Authority
Authority

Yes, it's possible to set private IPs for your clusternodes in the same subnet and the virtual cluster IP defined as public IP. But with this setup it's not possible to manage your cluster from the external site. 

AnujPratap
Participant

Thanks Wolfgang for your prompt response.

One more query, if you don't mind.

Do we need to do physical cabling with Clusternodes interfaces?
or
we can just configure them with the Private IP and Public IP on Cluster-VIP.

0 Kudos
Wolfgang
Authority
Authority

@AnujPratap 

I‘m not sure understanding your question.

You have to connect the physical interfaces on both nodes via a switch or direct cable to get in up state and get your cluster VIP up.

Was this your question ore something different?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events