This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Lucas_Piris
Participant
‎2018-06-29 11:32 AM
Jump to solution

IPsec VPN over MPLS

Hi,

Anyone known how configure a VPN IPSEC over MPLS?

Actually i have a tunel established using my ISP between two Check Point Gateway, now i have a MPLS link and i want to encrypt this traffic.

Devices:

1 Manager for Corporate and Branch Site;

1 Corporate Gateway;

1 Branch site Gateway.

My doubt is, i have some others tunnels using my ISP on Corporate gateway, if i change the link selector to use MPLS, how the VPN´s configured today understand this?

Best Regards

Lucas

1 Solution

Accepted Solutions
Lucas_Piris
Participant
‎2018-07-30 10:03 AM
Jump to solution

Hi all,

The final solutions was:

Uncheck "Apply settings to VPN Traffic" from the ISP Redundancy settings.

Configure the Link Selection to probe my two ISP´s and the MPLS and set the primary address to MPLS.

 

Renew the certificates from Gateway 01 and Gateway 02 adding all ip address of ipsec as SAN.

Regards

Lucas

View solution in original post

9 Replies
PhoneBoy
Admin
Admin
‎2018-06-29 01:27 PM
Jump to solution

Is the MPLS link on the same interface or a different interface from your ISP?

Assuming different, then I think if you use "Calculate IP Based on Network Topology" it should use the IP facing that network.

0 Kudos
Lucas_Piris
Participant
‎2018-06-29 02:07 PM
In response to PhoneBoy
Jump to solution

Hi Dameon,

Thank you!

Yes, is a different interface.

I have ISP Redundancy configured also, with "Apply settings to VPN Traffic" because i have VPN established with anothers peers over internet and for redundancy of internet and the ipsec vpn with this peers.

Also, if i uncheck "Apply settings to VPN Traffic" and use "Calculate IP Based on Network Topology", Can i have a problem with link failover or with others tunnels?

Lucas

PhoneBoy
Admin
Admin
‎2018-07-02 12:35 PM
In response to Lucas_Piris
Jump to solution

Depends on if the remote end of the MPLS VPN is Check Point or not.

See: IKE Main Mode negotiation fails with error "invalid id" when Check Point Security Gateway has ISP re... 

0 Kudos
Lucas_Piris
Participant
‎2018-07-02 02:03 PM
In response to PhoneBoy
Jump to solution

Hi Dameon,

Thank you for all your support.

Yes, is a check point.

Do you know what happens when I uncheck the option "Apply settings to VPN Traffic" from ISP redundancy settings?

I will lose the failover with others peers?

Regards

Lucas

0 Kudos
PhoneBoy
Admin
Admin
‎2018-07-02 02:11 PM
In response to Lucas_Piris
Jump to solution

I don't think you need to disable "Apply settings to VPN Traffic" in this case (but maybe I'm wrong here).

0 Kudos
Lucas_Piris
Participant
‎2018-07-02 03:53 PM
In response to PhoneBoy
Jump to solution

Hi Dameon,

If i do not disable the option "Apply settings to VPN Traffic", I am not be able to change the link selection on the IPSec VPN tab. Smiley Sad

Regards

Lucas

0 Kudos
PhoneBoy
Admin
Admin
‎2018-07-02 04:35 PM
In response to Lucas_Piris
Jump to solution

It should be ok.

It's similar to the following scenario in the documentation, which requires a couple extra steps to be done: Link Selection 

0 Kudos
Lucas_Piris
Participant
‎2018-07-03 05:56 AM
In response to PhoneBoy
Jump to solution

Hi Dameon,

Thank you so much.

I will try, I will be back with results.

Regards

Lucas

0 Kudos
Lucas_Piris
Participant
‎2018-07-30 10:03 AM
Jump to solution

Hi all,

The final solutions was:

Uncheck "Apply settings to VPN Traffic" from the ISP Redundancy settings.

Configure the Link Selection to probe my two ISP´s and the MPLS and set the primary address to MPLS.

 

Renew the certificates from Gateway 01 and Gateway 02 adding all ip address of ipsec as SAN.

Regards

Lucas

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events