- CheckMates
- :
- Products
- :
- General Topics
- :
- Two VPN tunnels using the same encryption domain?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Two VPN tunnels using the same encryption domain?
Hi,
We have a site running r80.20 that is connecting to a site running fortigate and they have two ISPs there. These will be a primary and backup link and no load balancing is being used. On the checkpoint side, i have created two interoperable objects (one for each ISP) and attached the same encrypt group to each. I can get the tunnels up using this method but checkpoint side will only ever try encrypting to ISPa side.
I opened a CP ticket and they said the only way we can get this working is by upgrading to r80.30 and using MEP with DPD. Is there any ideas on a way to get this working within r80.20? Perhaps route based VPNs would work but we don't currently use that at all and any implementations would have to not interfere with our existing setups. Appreciate any advice on this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This might work with route-based VPNs.
They can work with existing domain-based VPNs.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
That said there are other reasons to upgrade to R80.40 (eg different encryption domains per peer).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Route-based VPNs can definitely do this on the Check Point side. Not sure about on the Fortinet side, as my experience with route-based VPNs on their platform is limited.
To the best of my knowledge, the VTI always shows as "up", so you would also need to use dynamic routing to have the two gateways negotiate which link to use. I have done this in the past to select between a dedicated WAN link and a VPN backup, but it should work the same way to select between two VPN paths.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Route based vpn is the solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
we have same topology. we have installed R80.40 but i fase issue with secondary tunnel dpd expiring and renegotiating every hour. Tunnel 1 is working and tunnel 2 phase 2 is getting down. when primary tunnel down secondary is not coming up. we have to bounce the tunnel .
can you give me solution?
can i do load balancing configuration in global property-->vpn so both tunnel will be utilized ?
or
in smart dashboard global property -->advanced-->vpn advanced--> enable keep_IKE_SAs?
also we seen packet drop in primary tunnel.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I were you, I would NEVER upgrade just for this, it would never fix your problem and it simply sounds like whoever you spoke to in TAC used that as an excuse not to do any work to help you further. Im literally positive that even if you had R65, issue would be exactly the same. Yes, you can use route based vpn, but I do know that in R80.xx versions, there is an option in guidbedit to actually turn off supernatting for specific tunnel, though that might not really fix your issue, but worth a shot.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@the_rock please try to avoid accusations without proof. Your statement can only be made based on the actual case details. You do not have those, do you? We would like to maintain community spirit based on mutual respect and willingness to help each other out. Thank you.
@djhs702 Could you please send me your case number via PC?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not accusing anyone, just stating facts, also based on personal experience 🙂