I'm currently running some tests in a lab with a VPN community and the route injection mechanism feature. I’m running those tests for an upcoming deployment.
My goal is to have RIM working and redistribute VPN domains in OSPF. I’m taking into account that some gateways in my upcoming deployment have 2 internet connections and that one is used for internet browsing and the other one for the L2L VPNs.
I've set up a basic home lab to figure out the Route Injection Mechanism, It is a fairly simple environment; Cisco switch -- Check Point VM -- Cisco router (internet) -- Check Point VM -- Cisco switch.
I have a VPN community between my Check Point VMs (R80.40) with the built-in "MyIntranet" meshed community. At this time, all traffic is allowed from any to any for testing purposes. There is a basic OSPF configuration between the Check Point firewalls and Cisco switches.
According to CP documentation, I enabled RIM in the community and the kernel routes on the firewalls.
RIM is working until I start simulating outages and forcing ISPs failovers or if I add certain static routes.
I would like to know if what I’m looking to achieve is possible or if I’m just banging my head on something that cannot be done. Here’s a couple problems I’m having at the moment:
- When I use a basic ISP H/A configuration and I simulate an outage with a failover to the second internet connection, the failover works well for the vpn tunnels, but the kernel routes are no longer injected in the routing table and as such, are not redistributed in OSPF.
- After a failover to the secondary ISP, when the primary connection is restored, the tunnels remain on the secondary one unless I kill the tunnels or disconnect the secondary ISP.
- Note that when the tunnels are back on the primary ISP, the RIM starts working again.
- With or without ISP/VPN high availability, if I add static routes to force the use of the second ISP for the remote gateway’s public IP (for IPsec vpns), RIM no longer works at all.
Are those expected behaviors? I can hardly believe that something as simple as the first point would not work, I feel like this is probably due to a misconfiguration on my end. As for the other 2, I think I’ll need to go the “VTI” route if I want a bit more flexibility out of my VPN community.
If I use VTIs for my meshed community, will I also be able to use VTIs for IPsec VPNs between some Check Point gateways and Azure / AWS gateways?
Any input on this would be much appreciated!
Here's some routing configuration used on my firewalls (pretty similar on both of them);
set kernel-routes on
set ospf instance default export-routemap static-to-ospf preference 1 on
set ospf instance default export-routemap kernel-to-ospf preference 2 on
set routemap kernel-to-ospf id 10 on
set routemap kernel-to-ospf id 10 allow
set routemap kernel-to-ospf id 10 match prefix-list RFC1918 preference 1 on
set routemap kernel-to-ospf id 10 match protocol kernel
set routemap kernel-to-ospf id 10 action route-type type-1
set routemap static-to-ospf id 10 on
set routemap static-to-ospf id 10 allow
set routemap static-to-ospf id 10 match network 0.0.0.0/0 exact
set routemap static-to-ospf id 10 match protocol static
set routemap static-to-ospf id 10 action route-type type-1
set static-route 126.96.36.199/24 nexthop gateway address 188.8.131.52 on