Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
morris
Contributor

IPSec with two external Interfaces

Hey Guys,

we are planning to migrate our VPN-Users to another external interface on the Gateway.


eth1: 1.1.1.1
Currently used for Site-to-Site VPN and SSL-VPN

eth2: 2.2.2.2
Planned Migration from SSL-VPN to IPSec VPN

IPSec is at the moment configured like this (Screenshot taken from SmartConsole Demo): LinkSelection.jpg

If we change "Selected address from topology table: XXX.XXX.XXX.XXX" all Site-to-Site VPNs will drop (of course it will)

 

So my consideration now is to change to "Calculate IP based on network topology" and "Reply from the same interface".

Is CheckPoint able to handle Site-to-Site VPN on eth1 and Client-VPN on eth2 with this configuration?
What are your thoughts?

 

Best regards,
morris

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

I seem to recall a thread on this where this did not work as expected for Remote Access.
More precisely, reply traffic went through the primary ISP even though the traffic was received on the second ISP.
Don't know if that will be the case for you or not.

0 Kudos
Wolfgang
Mentor
Mentor

@morris following Remote Access clients can connect to VPN Gateway only once or Configuring VPN Link Selection for Remote Access client you can change the link selection behaviour for remote access clients.

setting

"apply_resolving_mechansm_to_SR" => "false"
"ip_resolution_mechanism" => "singleIpVpn"
"single_VPN_IP_RA" => "2.2.2.2"

changes your remote access destination for all clients to 2.2.2.2 on the gateway.

0 Kudos