cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Redundant Site to Site VPNs

Has anyone been able to set this up between Check Point and third party devices ? Its Palo Alto in this case. And I will be using different public IPs on local and remote peers. 

Do I create a new community with the secondary Peer IP Address? Or add a gateway to the existing community ? What happens with routes (I added another route with higher metric for secondary IP peer)? How does Check Point disable the primary route so the secondary route kicks in if the primary VPN tunnel does down ?

I know Palo has something that monitors an IP and if it goes down it disables the primary interface so seconday kicks in. Im just wondering whats the best way to do this on my Check Point side.

11 Replies

Re: Redundant Site to Site VPNs

Its a work in progress, Im missing something.

On Check Point side, secondary IP added to the same community, added the secondary route for remote network to the routing table.

Palo Alto doing its thing with tunnel monitoring.

On testing (Logically bringing down the tunnel and/or physically disconnecting interface) ping is acting a bit strange giving timeouts, yet others services like https, snmp, etc. are working correctly.

Admin
Admin

Re: Redundant Site to Site VPNs

Are you doing this as a domain-based VPN or route-based?

Route-based might be the better way to do it.

Re: Redundant Site to Site VPNs

Yep, Im using Route-Based.

Employee
Employee

Re: Redundant Site to Site VPNs

Is it possible to share your configuration on "secondary IP added to the same community" ? How was this done ?

I am trying to do this in on my environments, will be helpful.

Thnks

0 Kudos

Re: Redundant Site to Site VPNs

Hi,

I added a new Interoperable Device to the existing VPN Community.

0 Kudos

Re: Redundant Site to Site VPNs

Hi Rodrigo,

Do you need this VPN works was active/standby?

A few days, I tested a similar scenary with AWS using BGP, to keep all VPN´s UP, i created a PBR to destination IP of peer using the second gateway.

If you are using static route, do you need to create two routes using the peer ip tunnel (numbered) (not public) with priority, for example 1 for the primary tunnel and 2 for the second, for failover check de ping option on route.

And I added all interoperable devices in same community.

Lucas

0 Kudos
Highlighted

Re: Redundant Site to Site VPNs

Hi, Im using static routes with different priority and no ping failover.

Blason_R
Silver

Re: Redundant Site to Site VPNs

Did that work? I am trying to achieve the same thing with Frotigate firewalls and 5100 devices. What is the best solution then to achieve VPN Redundancy?

0 Kudos

Re: Redundant Site to Site VPNs

Hi.

What is solution here for asked question? 

0 Kudos
mdjmcnally
Nickel

Re: Redundant Site to Site VPNs

I don't believe that an actual solution given/accepted as such however I believeif you configure a Route Based VPN and Ping the Remote VTI and then use Routes to give priority to 1 Tunnel over the other then should work looking at other solutions such as PurePort

https://help.pureport.com/support/solutions/articles/43000489357-vpn-config-guide-palo-alto-networks...

Very similar to the 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

for AWS but should work the same.

Make sure enable the DPD Support on the Check Point.

0 Kudos
Blason_R
Silver

Re: Redundant Site to Site VPNs

Or not sure if anyone has tried the redundancy with MEP in R80.30?

But I guess with dynamic protocol this can be very well achieved, right?

 

0 Kudos