IPSec with two external Interfaces

morris · ‎2021-11-29

Hey Guys,

we are planning to migrate our VPN-Users to another external interface on the Gateway.

eth1: 1.1.1.1
Currently used for Site-to-Site VPN and SSL-VPN

eth2: 2.2.2.2
Planned Migration from SSL-VPN to IPSec VPN

IPSec is at the moment configured like this (Screenshot taken from SmartConsole Demo): LinkSelection.jpg

If we change "Selected address from topology table: XXX.XXX.XXX.XXX" all Site-to-Site VPNs will drop (of course it will)

So my consideration now is to change to "Calculate IP based on network topology" and "Reply from the same interface".

Is CheckPoint able to handle Site-to-Site VPN on eth1 and Client-VPN on eth2 with this configuration?
What are your thoughts?

Best regards,
morris

PhoneBoy · ‎2021-12-01

I seem to recall a thread on this where this did not work as expected for Remote Access.
More precisely, reply traffic went through the primary ISP even though the traffic was received on the second ISP.
Don't know if that will be the case for you or not.

Wolfgang · ‎2021-12-02

@morris following Remote Access clients can connect to VPN Gateway only once or Configuring VPN Link Selection for Remote Access client you can change the link selection behaviour for remote access clients.

setting

"apply_resolving_mechansm_to_SR" => "false"
"ip_resolution_mechanism" => "singleIpVpn"
"single_VPN_IP_RA" => "2.2.2.2"

changes your remote access destination for all clients to 2.2.2.2 on the gateway.

Are you a member of CheckMates?

IPSec with two external Interfaces