This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Raymond_Poede
Participant
‎2018-12-04 05:46 AM

IPSec Amazon without VTI

Site2Site VPN (Amazon - Company)

We're running a firewall cluster based on R77.30 and what to setup a IPsec VPN tunnel with Amazon VPC

But there's a known issue with R77.30 and VTI's

See:

How to configure IPsec VPN tunnel between Check Point Security Gateway and Amazon Web Services VPC u... 

If CoreXL is disabled we see a very High CPU usuage.

That's why we want to setup an IPSec without VTI's, instead of updating to R88.10 first.

When downloading the Configuration file from Amazon:

  • Vendor: Generic
  • Platform: Generic
  • Software: Vendor Agnostic

Within the config file there's a part about the Inside IP Address

The Customer Gateway inside IP address should be configured on your tunnel
interface.
Outside IP Addresses:
  - Customer Gateway                 : a.b.c.d.
  - Virtual Private Gateway            : z.y.x.w
        
Inside IP Addresses
  - Customer Gateway                 : 169.254.22.106/30
  - Virtual Private Gateway             : 169.254.22.105/30

How can I configure the inside Customer Gateway and Inside Virtual Private Gateway without using VTI's ?

The following SK article has been followed (sk113840)

How to configure IPsec VPN (non-VTI) tunnel between Check Point Security Gateway and Amazon Web Serv... 

And:

Ensure VPN Tunnels Pass Traffic Between Customer Gateways and Virtual Private Gateways 

Please advice.

Regards,

Ray

0 Kudos
1 Reply
PhoneBoy
Admin
Admin
‎2018-12-04 06:54 PM

It's generally less reliable to not use VTIs with Amazon.

See: https://community.checkpoint.com/message/14458-re-ipsec-tunnel-to-aws-vpc-sporadically-drops-after-p... 

You really should consider upgrading to R80.x.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events