Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
djhs702
Explorer

Two VPN tunnels using the same encryption domain?

Hi,

We have a site running r80.20 that is connecting to a site running fortigate and they have two ISPs there. These will be a primary and backup link and no load balancing is being used. On the checkpoint side, i have created two interoperable objects (one for each ISP) and attached the same encrypt group to each. I can get the tunnels up using this method but checkpoint side will only ever try encrypting to ISPa side.

I opened a CP ticket and they said the only way we can get this working is by upgrading to r80.30 and using MEP with DPD. Is there any ideas on a way to get this working within r80.20? Perhaps route based VPNs would work but we don't currently use that at all and any implementations would have to not interfere with our existing setups. Appreciate any advice on this.

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

This might work with route-based VPNs.
They can work with existing domain-based VPNs.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

That said there are other reasons to upgrade to R80.40 (eg different encryption domains per peer). 

0 Kudos
Bob_Zimmerman
Advisor

Route-based VPNs can definitely do this on the Check Point side. Not sure about on the Fortinet side, as my experience with route-based VPNs on their platform is limited.

To the best of my knowledge, the VTI always shows as "up", so you would also need to use dynamic routing to have the two gateways negotiate which link to use. I have done this in the past to select between a dedicated WAN link and a VPN backup, but it should work the same way to select between two VPN paths.

0 Kudos
Andreas_Aust
Collaborator

Route based vpn is the solution.

0 Kudos
pankajagr83
Explorer

we have same topology. we have installed R80.40 but i fase issue with secondary tunnel dpd expiring and renegotiating every hour. Tunnel 1 is working and tunnel 2 phase 2 is getting down. when primary tunnel down secondary is not coming up. we have to bounce the tunnel .

can you give me solution?

can i do load balancing configuration in global property-->vpn so both tunnel will be utilized ?

or

in smart dashboard global property -->advanced-->vpn advanced--> enable keep_IKE_SAs?

also we seen packet drop in primary tunnel.

 

0 Kudos
the_rock
Authority
Authority

If I were you, I would NEVER upgrade just for this, it would never fix your problem and it simply sounds like whoever you spoke to in TAC used that as an excuse not to do any work to help you further. Im literally positive that even if you had R65, issue would be exactly the same. Yes, you can use route based vpn, but I do know that in R80.xx versions, there is an option in guidbedit to actually turn off supernatting for specific tunnel, though that might not really fix your issue, but worth a shot.

Andy

0 Kudos
_Val_
Admin
Admin

@the_rock please try to avoid accusations without proof. Your statement can only be made based on the actual case details. You do not have those, do you? We would like to maintain community spirit based on mutual respect and willingness to help each other out. Thank you.

@djhs702 Could you please send me your case number via PC? 

0 Kudos
the_rock
Authority
Authority

Not accusing anyone, just stating facts, also based on personal experience 🙂

0 Kudos