This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
nycc3883
Explorer
‎2020-02-21 06:11 AM
Jump to solution

Multiple WAN IP for IPSEC

I have 5 public static IP.

1 IP attach cluster, 2 IP attach each member.

Remaining 2 IP, i would like to use it as IPsec to serve as primary and secondary.

Is it possible? Please advise

0 Kudos
1 Solution

Accepted Solutions
Danzaroonie
Explorer
‎2020-02-25 02:59 AM
In response to nycc3883
Jump to solution

Might be able to use Gaia Policy-Based routing...(just a thought)

You can define x2 default routes for ISPA and ISPB, However you still need to define the cluster topology information correctly.

The Policy-Based routing table will also have to be manually defined for each connected network. (bit of a pain if you have a few).

As an example...(I have done this for a customer that wanted a DMZ routed out a specific ISP, so can't see why this would not work in the same manner)

Client A - 10.100.0.0/24 would always route out of ISPA

Client B - 10.200.0.0/24 would always route out of ISPB

regards

Dan

 

View solution in original post

0 Kudos
9 Replies
Maarten_Sjouw
Champion
Champion
‎2020-02-21 01:50 PM
Jump to solution

Where would you want to assign those extra IP's?
When the Cluster is running the VPN's you use the cluster IP to terminate the VPN on and the 2 members will utilize that IP whenever they are the active member.
Regards, Maarten
0 Kudos
nycc3883
Explorer
‎2020-02-21 05:16 PM
In response to Maarten_Sjouw
Jump to solution

Yeah, this is one of the thing which i want to know, is there anywhere that i can attach these public ip.

0 Kudos
FedericoMeiners
Advisor
‎2020-02-21 04:38 PM
Jump to solution

Can you tell us what's your use case?

In other words: What are you trying to achieve by having two IPs from the same prefix and same ISP for IPSEC VPNs?

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
nycc3883
Explorer
‎2020-02-21 05:14 PM
In response to FedericoMeiners
Jump to solution

What i want to achieve is, in my environment i have separate entity company.

They are using the same Infra, but the network inside are separated, not communication with each other.

So for this, i would like to also separate the public ip that the user from external point to them.

For example,:

User from company A point to this public ip to access their company resources

User from company B point to a different public ip than company A to access their company resources.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-02-21 05:23 PM
In response to nycc3883
Jump to solution

Pretty sure you can't do what you're describing without using VSX on your gateways.
Each company would have its own VS (virtual system, i.e. firewall) each with its own access policy and public IP.
0 Kudos
nycc3883
Explorer
‎2020-02-21 05:51 PM
In response to PhoneBoy
Jump to solution

I thought so too. 

Just verifying whether is there alternative solution to these as the support is taking long time to assist on troubleshooting.

0 Kudos
Danzaroonie
Explorer
‎2020-02-25 02:59 AM
In response to nycc3883
Jump to solution

Might be able to use Gaia Policy-Based routing...(just a thought)

You can define x2 default routes for ISPA and ISPB, However you still need to define the cluster topology information correctly.

The Policy-Based routing table will also have to be manually defined for each connected network. (bit of a pain if you have a few).

As an example...(I have done this for a customer that wanted a DMZ routed out a specific ISP, so can't see why this would not work in the same manner)

Client A - 10.100.0.0/24 would always route out of ISPA

Client B - 10.200.0.0/24 would always route out of ISPB

regards

Dan

 

0 Kudos
nycc3883
Explorer
‎2020-02-26 06:58 AM
In response to Danzaroonie
Jump to solution

Thanks for the sharing.

Will explore on this.

0 Kudos
Chris_Hoff
Contributor
‎2020-03-05 01:50 PM
In response to nycc3883
Jump to solution

I would have to agree with Phoneboy that if you are wanting to keep them isolated, you would need to utilize VSX. Beyond the issue of IPs/Isolation, how are you planning to authenticate the users (I am assuming remote access based on your "user" verbiage above)? With a single Gateway/cluster, you are not going to be able to use different authentication methods. 

Are you planning to use the Mobile Access Blade (i.e. SSL VPN)? Or are you planning to use the Endpoint Client? 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events