This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Renjith_M_P
Contributor
‎2018-07-04 04:38 AM

VPN Solution

Hi All,

As shown in the diagram, i have a requirement. Site 1 is connected with Remote Site (marked as permanent tunnel) this is working and up. now i need to configure Redundant Tunnel between Site 2 and Remote Site. as per my understanding MEP will work only with checkpoint. what other solution can be provide here and how do i define priority and route.

Preview file
73 KB
8 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-07-04 04:45 AM

I just can see a Cisco ASA here - where is which Version/type of CP VPN GW you want a solution for ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Renjith_M_P
Contributor
‎2018-07-04 05:07 AM
In response to G_W_Albrecht

checkpoint at both site is managed by same management

Version

CP -77.30

ASA-9.x

0 Kudos
Renjith_M_P
Contributor
‎2018-07-04 05:05 AM

CP -77.30

ASA-9.x

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-07-04 05:19 AM

So both CPs have only one VPN tunnel each, but ASA has one main (permanent) and one redundant VPN tunnel - please correct me if i am wrong. So all redundancy configuration must be done on ASA - maybe a Cisco Forum would be more appropriate for this question .

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Renjith_M_P
Contributor
‎2018-07-04 05:27 AM
In response to G_W_Albrecht

No,traffic initiator is CP. there is only one VPN tunnel between Site 1 and Remote ASA site. i need to implement a new backup tunnel from site 2 to Remote ASA. in this setup primary tunnel is Site1 to remote ASA. in case of any failure at site 1, the traffic should pass through Site 2 to Remote ASA. 

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-07-04 05:57 AM

Route Based VPN could be adequate to this scenario, using Numbered VTI. See this discussion:

https://community.checkpoint.com/thread/6641-how-can-i-setup-a-primary-and-backup-s2s-vpn-tunnels

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Timothy_Hall
MVP Gold
MVP Gold
‎2018-07-05 05:26 AM
In response to G_W_Albrecht

If heading down the route-based VPN path, R80.10 or later on the gateway is strongly recommended.  Prior to R80.10 the utilization of the route-based VPN feature required CoreXL to be disabled (i.e. only one Firewall Worker/kernel instance for all traffic processing).

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Houssameddine_1
Collaborator
‎2018-07-05 09:42 AM

if checkpoint gw protecting the same networks and if you don't want to use route based vpn you can try to apply NAT on one of the checkpoint gateways to present different networks for the ASA as encryption domain.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events