Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Rodrigo_Castell
Contributor

Redundant Site to Site VPNs

Has anyone been able to set this up between Check Point and third party devices ? Its Palo Alto in this case. And I will be using different public IPs on local and remote peers. 

Do I create a new community with the secondary Peer IP Address? Or add a gateway to the existing community ? What happens with routes (I added another route with higher metric for secondary IP peer)? How does Check Point disable the primary route so the secondary route kicks in if the primary VPN tunnel does down ?

I know Palo has something that monitors an IP and if it goes down it disables the primary interface so seconday kicks in. Im just wondering whats the best way to do this on my Check Point side.

11 Replies
Rodrigo_Castell
Contributor

Its a work in progress, Im missing something.

On Check Point side, secondary IP added to the same community, added the secondary route for remote network to the routing table.

Palo Alto doing its thing with tunnel monitoring.

On testing (Logically bringing down the tunnel and/or physically disconnecting interface) ping is acting a bit strange giving timeouts, yet others services like https, snmp, etc. are working correctly.

PhoneBoy
Admin
Admin

Are you doing this as a domain-based VPN or route-based?

Route-based might be the better way to do it.

Rodrigo_Castell
Contributor

Yep, Im using Route-Based.

Saad_Nizam
Employee
Employee

Is it possible to share your configuration on "secondary IP added to the same community" ? How was this done ?

I am trying to do this in on my environments, will be helpful.

Thnks

0 Kudos
Rodrigo_Castell
Contributor

Hi,

I added a new Interoperable Device to the existing VPN Community.

0 Kudos
Lucas_Piris
Participant

Hi Rodrigo,

Do you need this VPN works was active/standby?

A few days, I tested a similar scenary with AWS using BGP, to keep all VPN´s UP, i created a PBR to destination IP of peer using the second gateway.

If you are using static route, do you need to create two routes using the peer ip tunnel (numbered) (not public) with priority, for example 1 for the primary tunnel and 2 for the second, for failover check de ping option on route.

And I added all interoperable devices in same community.

Lucas

0 Kudos
Rodrigo_Castell
Contributor

Hi, Im using static routes with different priority and no ping failover.

Blason_R
Leader
Leader

Did that work? I am trying to achieve the same thing with Frotigate firewalls and 5100 devices. What is the best solution then to achieve VPN Redundancy?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Netmagic_SOC
Participant

Hi.

What is solution here for asked question? 

0 Kudos
mdjmcnally
Advisor

I don't believe that an actual solution given/accepted as such however I believeif you configure a Route Based VPN and Ping the Remote VTI and then use Routes to give priority to 1 Tunnel over the other then should work looking at other solutions such as PurePort

https://help.pureport.com/support/solutions/articles/43000489357-vpn-config-guide-palo-alto-networks...

Very similar to the 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

for AWS but should work the same.

Make sure enable the DPD Support on the Check Point.

0 Kudos
Blason_R
Leader
Leader

Or not sure if anyone has tried the redundancy with MEP in R80.30?

But I guess with dynamic protocol this can be very well achieved, right?

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events