Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
israelsc
Collaborator
Collaborator
Jump to solution

Doubt about VPN c2s for two different clusters.

Hello everyone!

I have a question about configuring VPN c2s for two clusters on a single SMS.
SMS is on R81.20 and so are both two clusters.
The active cluster is on-prem and the newly deployed cluster is in Azure.

The first on-prem cluster is the one that is currently working for the users c2s VPN.
It has its own public IP, its own network segment for office mode, is included in the RemoteAccess VPN community and has its own encryption domain.

We recently created an HA Azure cluster (with its own public IP) and I need to set up the same configuration:
-Network segment for office mode
-Include cluster in the RemoteAccess VPN community
-Define its own encryption domain.

My question is, is it enough to just configure it the new cluster Azure  in the same RemoteAccess VPN community?
Or do I have to consider something additional so that the two VPNs c2s do not conflict when users try to authenticate?
MEP is not relevant for this configuration?

Greetings to all!

0 Kudos
1 Solution

Accepted Solutions
israelsc
Collaborator
Collaborator

Hello everyone,
To discard any doubts, we opened a case with TAC and they told us the following:

To enable VPN c2s on both onprem and Azure clusters so that they can use the same RemoteAccess VPN Community, it is necessary to disable MEP on the members of both clusters.

https://support.checkpoint.com/results/sk/sk78180 (Disabling MEP for Endpoint VPN Client)

you just need to do the yellow colored portion.

2024-12-11 12_48_55-_nuevo8 - Notepad++.png


->To validate the configuration on the 4 cluster members:
vpn check_ttm trac_client_1.ttm

-> Install policies and test

-> you may need to disconnect/reconnect OR, delete the site, then recreate it and connect to VPN

After that, both VPN c2s worked without causing conflict.





View solution in original post

6 Replies
the_rock
Legend
Legend

As far as MEP, if you are talking about s2s vpn, then it only applies if you have more than 1 center gateway in star community, mesh would be irrelevant here. Yes, you can configure Azure cluster in same community. Check out post I made about Azure vpn this year, hope it helps. If not, let me know, happy to have a remote and assist.

Andy

 

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-tunnel-to-Azure/m-p/206179/emc...

0 Kudos
PhoneBoy
Admin
Admin

You're correct, you just need to add the new gateway to the Remote Access Encryption Domain.
Secondary Connect should allow you to connect to the other gateway.

Note that clients will only know about this gateway after connecting again.
They can also delete/re-add the site to get the information about the new gateway included.

0 Kudos
israelsc
Collaborator
Collaborator

Hello @PhoneBoy , @the_rock ,
Thank you for your comments.

In fact as a additional note, the current c2s VPN that is in the on-prem cluster, has a domain name that points to the public IP of that cluster on-prem.

The idea, is to start configuring the c2s VPN for the Azure cluster, make some tests and then redirect the domain name to the new VPN IP with the Azure cluster.

The only doubt I had is to know if both VPN c2s can coexist in the same SMS and that the VPN users do not have conflicts when I configure both VPNs.

In fact, what would happen is that all the current users will continue to point to "vpn.company.com" in their VPN client and for these tests with Azure VPN c2s, I will use one or several specific local users pointing to the public IP of the Azure cluster for testing.
Until I make sure this works and does not cause conflicts (coexistence of both VPN c2s), we will proceed with the maintenance window to reconfigure the domain name for the client VPN to use only the Azure cluster and stop using the on-prem cluster.

It would help me a lot to know your comments.

Greetings!

0 Kudos
the_rock
Legend
Legend

I would argue that if you are NOT making any changed to RA vpn, then I would not forsee any problems doing what you described with s2s vpn.

Andy

0 Kudos
israelsc
Collaborator
Collaborator

Hello everyone,
To discard any doubts, we opened a case with TAC and they told us the following:

To enable VPN c2s on both onprem and Azure clusters so that they can use the same RemoteAccess VPN Community, it is necessary to disable MEP on the members of both clusters.

https://support.checkpoint.com/results/sk/sk78180 (Disabling MEP for Endpoint VPN Client)

you just need to do the yellow colored portion.

2024-12-11 12_48_55-_nuevo8 - Notepad++.png


->To validate the configuration on the 4 cluster members:
vpn check_ttm trac_client_1.ttm

-> Install policies and test

-> you may need to disconnect/reconnect OR, delete the site, then recreate it and connect to VPN

After that, both VPN c2s worked without causing conflict.





the_rock
Legend
Legend

Great job!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events