Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
WingChow
Participant

Link selection into a VPN Community Settings | R81.20?

Hello,

Is there any possibility of incorporating some functionalities such as including the Link selection configuration within the VPN community as VPN Domain introduced in R80.40?

Uploaded Image

Within the history of Check Point there is always a problem when you want to build different VPNs with different external links and incorporating such functionality would be a great step to remedy limitations.

We'll be very grateful.

Best regards,

18 Replies
PhoneBoy
Admin
Admin

Normally you'd do this based on routing.
That said, I can see having different fixed options for different peers would be useful.
Regardless, I don't believe this is part of R81.20 (but could be wrong).

0 Kudos
WingChow
Participant

Yep, Exactly but it would be an improvement to choose the link selection by community VPN of course always Based of Routing. To prevent this type of issues as sk173048.

I hope that will be in roadmap all those features.

Regards,

0 Kudos
Blason_R
Leader
Leader

Correct - This has always been an issue with VPN redundancy with 3rd party devices. Even if Check Point has multiple ISP links we wont able to utilize all those to configure redundant VPN tunnel.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
WingChow
Participant

I've been waiting for that feature, because is very difficult to use all external ISP from the customer. Can we have any updates in R81.30 PhoneBoy?

That will fix a link selection issue. 

0 Kudos
WingChow
Participant

I've been waiting for that feature, because is very difficult to use all external ISP for 3rd Party VPN. Can we have any updates in R81.30?

That will fix a link selection issue. 

0 Kudos
Blason_R
Leader
Leader

That is always been a issue and I shifted to other solution when there is such need where I wanted to consume both the ISP links for VPN tunnels.

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
idants
Employee
Employee

Hi,

We have a planned offering for this use case by the end of 2022.

I would be happy to meet and get more details on the use-case and the needs to make sure we are aligned.

Thanks,

Idan Tsarfati

R&D Group manager of IPsec VPN & HTTTPs inspection

WingChow
Participant

Hi idants,

Great!! I'll be ready for any updates and more about Link Selection into a  VPN Community for 3rd Party GW VPN.

Best regards,

0 Kudos
CheckPointerXL
Advisor
Advisor

Hello idants 

Any news about this?

0 Kudos
Blason_R
Leader
Leader

Well - we have so many customers are waiting for this feature and big adoption of cloud has really made this impossible to stay with one IP hence I managed to move tunnels on other devices which offers much more flexibility in configuring the tunnels.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
PhoneBoy
Admin
Admin

I believe this feature is planned for R82.

0 Kudos
idants
Employee
Employee

This new feature is planned to be released as part of R82.

Some of the VPN capabilities are already available as part of SDWAN (R81.20).

You are welcome to share the exact use-case offline to understand if it might work.

0 Kudos
genisis__
Leader Leader
Leader

Does this include VPN backup so that if the primary remote unit is down it will attempt to use the backup VPN device?

0 Kudos
RS_Daniel
Advisor

Hello @idants,

Use case: CheckPoint gateway "FW01" working as Internet Perimter fw, has two or more external interfaces. This gateway has s2s vpn's with many different third party gateways through all its ISP connections. FW01 can send only one IP address as its IKE Main Mode ID. Let's say we use external IP of ISP1 as our IKE Main Mode ID, all the remote peers that connect to ISP2 or ISP3 will receive a "wrong" IP address as IKE Main Mode ID. In these cases it brings additional complexity to the vpn, because in my experience this parameter is almost never configured manully, it is left as default, so we have to explain to third party admins what this parameter is, why we send a different IP address and ask to fix this on their end, because we can not do it on our side. In case this gateway has a WAN (different interface/IP) connection which also builds s2s vpn's with third parties it becomes more complex even.

It becomes more restrictive in case the same FW01 builds vpn's with other centrally managed gateways, where we normally would use Link Selection to have redundancy, but if we use HA or LS, it makes FW01 send the main ip adress as Main Mode ID mandatory.

Regards 

0 Kudos
CheckPointerXL
Advisor
Advisor

i've found a working solution in my lab; bring up 2 tunnels with two IPs (two ISP in real word), settings here:

 

vpnduallink.JPG

 

of course you need to drive the tunnel to the second link by adding a static route to /32 ip remote peer adddress

 

0 Kudos
Blason_R
Leader
Leader

Really  - Did that work?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
CheckPointerXL
Advisor
Advisor

LABdualLink.JPG

0 Kudos
Blason_R
Leader
Leader

Hmmm - Let me try that out and see.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events