Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Contributor

Questions about VPN link selection and source Peer address

Jump to solution

Hi, I am trying to figure out what exactly means when set link selection and all consequences for choosing one interface or another one.

As far I have read on Internet, link selection determines the interface used for incoming/outgoing traffic, and also helps to determine the best route. I can understand this but I still have tons of questions regarding link selection:

- What happen if I have two interfaces with public IP (lets call these interfaces 1 and 2), and I have just a default route to reach Internet through interface 1. What happens if I set the interface 2 IP as link selection?

- Will my device try to reach the peer using default route through interface 1 or will my device try to reach the peer through interface 2 (even if I have not a route for that)?

- If the checkpoint device uses interface 1 to send traffic, which IP would use the firewall as source address for generated packets? Interface 1 or interface 2 IP address?

Can you please help me with these doubts?

Thanks!

0 Kudos
Reply
1 Solution

Accepted Solutions
Champion
Champion
When your ISP is indeed routing the IP of int 2 to your int 1 then indeed you should be able to use it like this and tcpdump should show you the IP of int 2.
Regards, Maarten

View solution in original post

0 Kudos
Reply
3 Replies
Champion
Champion
1 When you set int 2 to be the source you should make sure to set a route for the peer to use int 2 as it will use the int 2 IP on the outgoing packets and if you do not set a route it will send the traffic out int 1 according the routes and it will return on int 2.
Regards, Maarten
0 Kudos
Reply
Contributor

Thank you for the answer but, what if the interface 2 is configured but actually it does not have connectivity. Then the ISP router has a static route which send the traffic destined to Interface 2 public subnet, through the interface 1. In this case, the traffic would go in/out through interface 1 but, if I run a tcpdump, which source IP should I see leaving the firewall? The Interface 2 IP (which is set in the link selection) or interface 1 IP?

I suppose that I should see interface 2 IP but I just need to confirm this. I am havin issues with a NAT and I would like to ensure this behavior before modifying the NAT. Thanks!

0 Kudos
Reply
Champion
Champion
When your ISP is indeed routing the IP of int 2 to your int 1 then indeed you should be able to use it like this and tcpdump should show you the IP of int 2.
Regards, Maarten

View solution in original post

0 Kudos
Reply