This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
dphonovation
Collaborator
‎2023-01-10 06:16 PM

Unable to get VPN Link Selection working with 3rd party peer

I have a 81.10 Security gateway with two WAN interfaces, representing two ISPs:

eth1 - IP: x.x.x.97 (default route thru here)

eth5 - IP: x.x.x.103 (backup default route gets installed if eth1 peer goes down)

Behind this gateway I have 10.10.171.0/24

 

 

I have a remote 3rd party peer with one interface:

eth3 - IP: z.z.z.201

Behind this gateway I have 192.168.1.0/24

 

 

I have initially setup my tunnel like so:

Checkpoint Enc Domain: 10.10.171.0/24        VPN Peer with: z.z.z.201

Remote Enc Domain: 192.168.1.0/24              VPN Peer with x.x.x.97

.. and it is flowing thru eth1

 
 
 

I'm now attempting to test a failover scenario and on the 3rd party peer - I want to be able to switch the VPN Peer on the 3rd party device to use x.x.x.103, but I cannot get the Checkpoint to route of that interface. The best I've gotten is an initiated tunnel, 3rd party sends to eth5, but response packets seem to be still going out the default route (eth1)

I have done my best to read this doc: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/Topics-VP...

And I'm also referencing these threads:
https://community.checkpoint.com/t5/General-Topics/How-to-create-a-IPSEC-VPN-tunnel-through-multiple...

https://community.checkpoint.com/t5/General-Topics/IPSec-VPN-Link-Selection/m-p/10724




This is how I have the general gateway cluster configured for IPSec VPN Link Selection:

dphonovation_5-1673400973832.png

dphonovation_6-1673401028077.png

 


And on the "Interoperable Device" representing the 3rd party peer:

dphonovation_9-1673401873806.png

 

 

 

By all the other posts this seems to be doable but I'm not having any luck. Perhaps I'm misunderstanding something.

The only way I can get it to work is by:

  • adding a static route back to z.z.z.201 to route through ISP at eth5

dphonovation_10-1673402314120.png

 

Could anyone shed some light?

For further reference, my default routing table:

 

0 Kudos
6 Replies
the_rock
Legend
Legend
‎2023-01-10 06:31 PM

First thing that comes to my mind when talking about ISP redundancy/VPN...is option on gateway properties under ISP redundancy to "apply to VPN traffic" checked or not?

0 Kudos
dphonovation
Collaborator
‎2023-01-10 06:34 PM
In response to the_rock

I note this statement from the docs however:

ISP Redundancy is not supported if Dynamic Routing is configured 

So does this apply to my default route or if BGP is used at all?

I can change my default routes to static; but I need to retain my ability to redistribute BGP to both the ISPs (which I do from a NAT pool)

0 Kudos
the_rock
Legend
Legend
‎2023-01-10 06:41 PM
In response to dphonovation

I know document says that, but thats not quite true. As long as no BGP route CONFLICTS with default route, you are fine.

dphonovation
Collaborator
‎2023-01-10 06:40 PM
In response to the_rock

Just also noticed this statement:

  • The IP addresses assigned to physical interfaces on each Cluster Member must be on the same subnet as the Cluster Virtual IP address.

 

And my members use a different subnet than the VIP, according to this SK (I wanted to conserve my IPs). this: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

0 Kudos
dphonovation
Collaborator
‎2023-01-13 06:23 AM
In response to the_rock

I'm not sure ISP Redundancy is my solution here. Nothing about selecting a different link/interface implies I need to enable it. I simply want to use a different interface when initiating traffic or alternatively, ensure that when responding to an ipsec tunnel that traffic is sent out the interface it came in on - instead of using the default route.

0 Kudos
the_rock
Legend
Legend
‎2023-01-13 06:29 AM
In response to dphonovation

I get what you are saying, BUT, Im not sure thats possible on CP and reason I say that is because you cannot sadly have a route thats disabled and can be enabled only if another route fials (I never ever heard of that being possible). You may want to open TAC case to get an official answer though, better have it writting from the vendor.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events