Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Iron

VPN redundancy - On premise to AWS

Hi Community.

With the increase in popularity of AWS, we have been receiving many requests to set up or troubleshoot VPNs of this kind.

 

image.png

 

One of the most popular calls is due a VPN outage caused in deployments with static routes  (sk100726) where customers have ticked the "ping" checkbox in the route, as mentioned in the sk by the way. 

From time to time the route disappears from the route table and thus traffic is not forwarded. 

This is fine, you remove the tick from ping checkbox in the static route and everything is back to normal (many TAC cases opened confirming this)

 

But this raises the question that automatic redundancy does not work and that sk100726 gives a false sense of security.

 

What's your approach when configuring mesh tunnels like these towards AWS?

Has anyone tried sk164355? Is BGP the best option? 

 

Thanks in advance

0 Kudos
5 Replies
Highlighted
Admin
Admin

Are you using Dead Peer Detection?
Highlighted
Iron

As responder mode.

But for it to help with the redundancy it should be R80.30s sk164355, is it? In a MEP style + DPD
0 Kudos
Highlighted
Admin
Admin

sk164355 seems like the right approach, yes.
0 Kudos
Highlighted

I think the best way would be to set up 2 VPNs with routed VPN (VTIs) and BGP for this:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Highlighted
Nickel

Hi, does it require BGP?

From the AWS documentation it also support 2 routerd VTI without BGP. Since VTI is route based, if 1st VTI VPN tunnel is down, would it route through 2nd VTI VPN tunnel automatically?
https://docs.aws.amazon.com/vpc/latest/adminguide/check-point-NoBGP.html
0 Kudos