This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Elixir
Explorer
‎2023-10-27 04:43 AM

VPN from Cluster with non-Clustered WAN Interface

Looking to remove the CPE Routers from the Network and plug a Check Point Cluster in place of them

As such would have 2 WAN Circuits with 1 Circuit going directly into each member of the Cluster.

Hopefully the attached diagram shows clearly enough what looking for.

WAN Interface would then be static IP assigned but each member would be separate IP Range and be marked as Monitored Private so that no Cluster IP as only exists on that member.

As not Clustered then cannot use the ISP Redundancy to publish the WAN Circuits as each member only see's it's own WAN Circuit. and ISP Redundancy requires that both members can see the Next Hop for each Connection which is not true here.

Marked as Monitored Private so that if fails then the Cluster fails over to the other Member and traffic goes out via the other WAN Circuit.

LAN Side would be clustered so traffic goes to the Active Member and out via that WAN Circuit.

 

Traffic wise then from a pure Routing/Firewall then works in that traffic goes out to the Internet and seen as the WAN Circuit IP address that leaves.   Disconnect the WAN on Member 1 and fails over and seen from WAN of Member 2.

 

However the VPN fails to establish at Phase 1 even though both VPN Systems managed by the same Smart-1 Cloud.

Updated the VPN Link Selection to be by topology for Peers as needs to be either WAN Circuit.    Probing doesn't return the WAN Circuit as not a cluster when retrieve it only retrieves the LAN Cluster IP so can't use the Member IP.   Source is using IP of chosen Interface so would expect that uses the WAN Circuit IP.   Have updated the cert for the Cluster with the WAN Circuit IP addresses as well and published to the Cluster and also the VPN Gateway wanting to connect too.

However despite using Certificates and a Common Management System then P1 of the VPN just will not establish.

Wandering if anyone else tried this and if so what tweaking had to be done on the Cluster Object to make it work.

 

Nearest I can find to this topology wise in the Documentation is the the Gaia Active-Active ClusterXL for where Cluster Members located different locations and thus separate Interfaces however that states does not support the VPN Blade so not sure if this going to be the issue here in that when VPN from a Cluster then has to be a Clustered Interface so along with the ISP Redundancy requiring the interfaces to be Clustered does make me question if this is even possible with non-Clustered interfaces.

Whilst initially looking at SMB Boxes then if needs to be Full Gaia ie 3000 series then it wouldn't be impossible.

 

Appreciate any feedback shared with how people got on with achieving this.

Michael

Preview file
30 KB
0 Kudos
7 Replies
G_W_Albrecht
Legend Legend
Legend
‎2023-10-27 06:15 AM

I do not think this is possible using SMB clusters - they have to have the same WAN connection using the VIP. Open SR# with TAC to learn how to do that using which hardware !

@PhoneBoy - can you move this to SMB as it concerns 15xx SMBs ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Elixir
Explorer
‎2023-10-27 07:07 AM
In response to G_W_Albrecht

So do you believe that this would actually be possible with Full Gaia Cluster as opposed to Gaia Embedded.

I opened in general as opposed to SMB as whilst looking at SMB currently then this isn't restricted to using SMB boxes if Full Gaia is required however even with Full Gaia then where have different WAN Connections ie ClusterXL Active-Active then it states doesn't support the VPN Blade.

0 Kudos
Will_Hargreaves
Employee
Employee
‎2023-10-31 03:16 AM
In response to Elixir

@G_W_Albrecht @PhoneBoy I too am interested to know if you think this would work with full GAIA. 

To my mind we are also unable to meet this requirement with full GAIA due to Step 6b on page 66 of the ClusterXL R81.20 admin guide (see attached image). I would love to be proved wrong however! 🙂

Preview file
36 KB
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-10-31 03:42 AM
In response to Will_Hargreaves

Correct - i assume it is neither possible using GAiA nor using Embedded GAiA. But the posted issue is about HA Clustering and does not work as Embedded GAiA needs the VIP for clustering.

For second question: Active-Active clustering does not make much sense anyway, if one node fails, you are in very serious trouble...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
‎2023-10-31 10:32 AM

What is your setting(s) for Link Selection?
I suspect having different settings for different cluster members is going to be an issue here...and may cause this not to work.

0 Kudos
Elixir
Explorer
‎2023-11-02 11:26 AM
In response to PhoneBoy

Well what I would have thought should be the Link Selection is

Calculate IP Address based on Network Topology

Cannot use the Always use this IP address as there are 2 and would expect that uses the External Interface but VPN debugs still seemed to refer to the Internal Cluster IP address though not sure if that is just because the Main IP is the Cluster Defined IP address.

Cannot use Probing as that doesn't find a Non-Clustered Interface only Clustered.

Not sure how DNS Probing would work if setup DNS to respond with both as in would it attempt the primary and then the secondary if that failed or would it just take the first one.

For the Source IP address then set as Manual and IP address of Chosen Interface.

Also made sure that the VPN Certificate has the WAN IP in the them by adding them and then publishing out to the Main Site and the Branch so they both have the updated Certificate details.

However not 100% convinced that would work and doesn't seem too but isn't a scenario replacing the CPE but still VPN as well.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-11-01 03:21 AM

I would contact CP TAC to get an answer !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events