Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
elapuente
Explorer

Question about vpn/ipsec on external interface with private addresses

Hello everyone!!!

We ask for the community help for solving the following configuration.

First of all, we have an ISP cluster of routers and a Checkpoint cluster. It's a very simple configuration. There is a /29 public IPs that the ISP routes to checkpoint.

ISP routers and Checkpoint are connected via a routing network, with private address (10.100.250.0/24).

So, 10.100.250.1,2,3 are the IPs on routers side, and 10.100.250.252,253,254 are the checkpoint cluster addresses. The ISP routes the public range to ip 10.100.250.254 (checkpoint virtual ip).

There is no public address on the checkpoint cluster. We have some services published with some NAT rules.

But, we want to enable the Mobile portal, and be able to create site-to-site IPSec tunnel.

The problem we have is that we cannot make "https://<publicip>/sslvpn" URL work, because there is no public ip on the Checkpoint. We cannot make NAT 1-to-1 for the firewall itself. We tried with Proxy ARP, with no success. It worked with an interface alias on one of the checkpoint, but it's not supported with ClusterXL (and cannot add another virtual ip on the external interface).

There is two possible solutions (changing interconnect network):

- 3 public ips on checkpoint cluster external interfaces and 3 public ips on router cluster

- 1 public ips on checkpoint cluster external interfaces and 3 public ips on router cluster (sk32073)

But we only have 6 public IPs, and don't want to wasted on the routing network.

is there anyone with a similar configuration?

Thank you in advance for the help!!

Best regards,

0 Kudos
Reply
3 Replies
Wolfgang
Leader
Leader

@elapuente 

add a new dummy clusterinterface.
You can use private IPs for the cluster members IP addresses and use one of the public IPs with /32 as virtual cluster IP. You don't need to add any routes. No traffic will be leaving this interface, but the local services are listen on this IP.

Wolfgang

0 Kudos
Reply
elapuente
Explorer

Thank you @Wolfgang , it make sense

What do you mean with a dummy cluster interface? a unused VLAN interface for example?

Best regards

 

0 Kudos
Reply
Wolfgang
Leader
Leader

Yes @elapuente ,

we did this with a new VLAN interface. There is no need to use  a physical interface.

You need an interface defined on the cluster with one of the public IPs.

Wolfgang

0 Kudos
Reply