Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Explorer

S2S VPN backup options

Hi, We have checkpoint clusterxl R80.20 firewalls with an IPSec site to site VPN to a third party (cisco). I need to create a backup vpn to a different gateway IP address at the third party (all internal IP address encryption domains remain the same).

Is the only way I can do this to create a new vpn using VTI's? 

I've read through the docs and I cannot see a quick way of implementing what seems a simple request.

  

0 Kudos
Reply
9 Replies
Admin
Admin

Failover between the sites will be much more reliable with VTIs.

0 Kudos
Reply
Collaborator

Paul,

Maybe Im confused about this...are you saying you want to use SAME cp cluster to create different vpn cluster with another cisco gateway as 3rd party appliance or something else?

 

Andy

0 Kudos
Reply
Explorer

We would just like to define a second external gateway to connect too should the primary VPN go down. The external third party has setup this backup gateway. Surely there should be some way to get checkpoint to create the VPN with this alternative gateway with the same IP domain settings in the event the primary fails. Our checkpoint cluster already has its own resilience with two appliances some distance apart and dual separate Internet pipes.   

0 Kudos
Reply

AFAIK two third party remote peers using same VPN topology (ipsec phase 2 protected networks) is not possible.
As Phoneboy mentioned, it is done by creating route based VPN and VTIs.

and now to something completely different
0 Kudos
Reply
Explorer

That's what I thought. I have never setup a VTI VPN, but from what I have read it looks to me like a route based VPN would not be as secure as a policy based VPN.

0 Kudos
Reply

I don't know what security aspects would speak against route based VPN, so that one could not use it.

and now to something completely different
0 Kudos
Reply
Collaborator

Ok, I am going to throw this out there and I could be 100% wrong, but I saw customers do it this way and it does work. So, just for some context, if you were doing this on Fortigate OR Cisco, you could set up brand new vpn tunnel WITHOUT always having to use same encryption domain, but sadly, in Check Point, thats not possible, as you have to define it on gateway object itself. Personally, I dont even think thats needed, as you could leave it by default (all IP addresses behind the firewall). In reality, what controls the traffic are the rules, not the encryption domain for VPN. So technically, that way, you could have same gateway used as backup, just would need a different rule to control the traffic within that separate vpn community. There is an option for backup gateway in global properties and object itself,BUT, thats only for remote access VPN...NOT site to site VPN.

I honestly cant think of any other logical way to do this without changing the type of VPN. Anyway, Im happy to do remote session and see if I can help you. Message me privately and we can set something up.

 

Cheers!

Andy

0 Kudos
Reply
Explorer

Security wise, if we used VTIs the third party wants us to allow a real /17 range of real IP addresses & we would be allowing dynamic routing protocols that we don't currently use.

It seems to me that Checkpoint is lacking in this area compared to competitors. 

Ottawacanada150, briefly, how would you define the backup gateway to the VPN? 

0 Kudos
Reply
Collaborator

Of course its lacking in this area, its always been like that, sadly :(. Anyway, for backup feature, but again, keep in mind, this ONLY applies to client to site vpn...under global properties -> vpn -> advanced -> enable backup gateway, then swing over to fw object and once you open the object itself, under vpn, you will see option to choose backup gateway -> enable that and choose the right backup gateway, push policy. Steps would be something like this:

 

  • Add backup gateway to Remote Access VPN community
  • Enable backup gateway option in global properties
  • Configure backup gateway setting on primary gateway/cluster object
  •  Edit $FWDIR/conf/trac_client_1.ttm to remove MEP disable override (this is NOT on mgmt, but gateway ONLY)
  • Install policy
  • Test VPN to primary
  • Test VPN to backup
  • Test VPN failover
0 Kudos
Reply