This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
JED
Participant
‎2025-07-10 03:31 AM

Route Based VPN with numbered Vti migration from Standard Cluster to Maestro

Hi,

We have currently the Route based VPN with the Numbered VTi. This is currently configured on a cluster and is configured using the Vip, Gw1 , Gw2 and the remote address for the formation.

This works correctly and the resiliency between the Gw1 and Gw2 operates correctly upon fail over. ( The Bgp re-establishes when the partner member becomes active).

We are now migrating to a Vs Maestro based deployment.

The main question we have is as follows:

a) Does the  configuration from gclish  follow the same format with a Vti x  on member 1  and then Vti x on member 2. Or does this configuration change?  We will have three members in the Vs cluster.

b) Currently referencing (a) above  the configuration is specifically  performed on the two Cluster Members. How will this be completed on the Maestro.  ( the Cluster is a three member unit and they are not physically configured separately as we did in the standard two blade cluster)

c) Having through the  Technical documents we have failed  to obtain any sample configuration/ scenarios.  For us this will be a migration from standard cluster VTi config to a Maestro based deployment.

Any information or details that anyone may have  regarding this would be most appreciated.

Regards,

JED

 

0 Kudos
5 Replies
Nir_Shamir
Employee Employee
Employee
‎2025-07-10 03:37 AM

When you configure a Maestro Security Group you consider it as a Single GW. This means that on the Physical interfaces you configure the VIP IP and not the members Physical IP addresses.

Same thing with VTI's. On the Security Group you configure the tunnels local IP address the Tunnel VIP you are using today.

0 Kudos
Lesley
Authority Authority
Authority
‎2025-07-10 04:58 AM

Here an config example of Maestro setup:

You do all changes in global clish!

gclish:

add vpn tunnel 1 type numbered local 1.1.1.2 remote 1.1.1.1 peer Name of the interoperable device from smart console

Example of above:

add vpn tunnel 1 type numbered local 1.1.1.2 remote 1.1.1.1 peer FW-Remote-Peer

set interface vpnt1 state on
set interface vpnt1 mtu 1500
set interface vpnt1 comments "VPN tunnel with remote party"

set static-route 172.16.0.0/24 nexthop gateway logical vpnt1 on
set static-route 172.16.0.0/24 comment "VPN tunnel with remote party"

In Smart Console on the SMO object you have to get interface (Get interface without topology)

You only can fetch these type of interfaces not manually create them!

Configure VPN community with empty encryption domains and done. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Nir_Shamir
Employee Employee
Employee
‎2025-07-10 05:11 AM
In response to Lesley

CLISH and GCLISH commands are the same.

the difference is that when working with GCLISH  every command is configured on all SGM's at once because we need the configuration to be consistent on all of them.

so in Maestro only work in GCLISH

0 Kudos
JED
Participant
‎2025-07-10 05:28 AM
In response to Lesley

Hi Lesley,

Many thanks for the reply.

From what you have demonstrated  it is showing the single entry  for the  VTI  ( shown below)

add vpn tunnel 1 type numbered local 1.1.1.2 remote 1.1.1.1 peer FW-Remote-Peer

Therefore I am  assuming this  is all that is required : as opposed where we had a two blade cluster we would have had the following ( basing on your  example) , single VTI  config on each blade.

Blade1

add vpn tunnel 1 type numbered local 1.1.1.2 remote 1.1.1.1 peer FW-Remote-Peer

Blade 2

add vpn tunnel 1 type numbered local 1.1.1.3 remote 1.1.1.1 peer FW-Remote-Peer

All  I need is the confirmation that it would  only be the single  entry for the Operation on Maestro.

0 Kudos
Lesley
Authority Authority
Authority
‎2025-07-10 05:40 AM
In response to JED

I have 4 gateways in my security group and only 1 IP is needed. All 4 gateways have this interface with the same IP. 

Because you change in gclish it will change it on ALL gateways in the security group. In smart console you have only 1 SMO (firewall object) that has one interface

-------
If you like this post please give a thumbs up(kudo)! 🙂
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events