Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Matthieu_B
Explorer

Multiple ISP for VPN

Hello everyone,

I would like to ask you a question about the CheckPoint VPN .

I would like to use 2 public IP to set up a VPN.
Indeed, several partners with who I'm work, have two Internet access on their firewall.

it asks me to mount a VPN with 2 public ip for redundancy

On the Fortigate firewall, it seems that they have an option to: if the first ISP falls, it automatically switches to the second.

How can I do this on CheckPoint?
Do I have to put several gateways in the community?

Thank you for your help

PS: I hope it doesn't have too many mistakes, English is not my native language

PS: I have see this post (https://community.checkpoint.com/t5/Remote-Access-VPN/Remote-Access-VPN-with-Two-Public-IP-Address-f...), but it doesn't meet my expectations

0 Kudos
2 Replies
Wolfgang
Mentor
Mentor

@Matthieu_B you can do this with several gateways but ther's no need for these.

"VPN Link selection" will be the feature of your need. You can define more then one interface to be used for VPN connections. You can do LoadSharing or HA on the defined links. With Check Point Gateways on both ends of the tunnel you have to enable these, setting the relevant interfaces, defining the source IP addresses and that's it. Via RDP probing on port UDP/259 the availability of the line will be probed. Start with your configuration here:

Link Selection in R81.10 

With third party gateways you have to define the other gateways as "interoperable device" and with these setting DPD (Dead Peer Detection) is used to probe the line. I don't remember from which release the support of DPD started, but from R80.40 you'll be fine.

0 Kudos
the_rock
Champion
Champion

This is for R77, but its exactly same for R80+

https://sc1.checkpoint.com/documents/R77/CP_R77_SecurityGatewayTech_WebAdmin/89364.htm

What I did for one customer is check option to apply to VPN settings, so then in link selection, make sure under view options that primary link is what you prefer and then it would fail over to other one if any issues. Now, isp redundancy is NOT supported for remote access, so if you need that, it might be a bit trickier to make it work, depending on requirements.

0 Kudos