Re: Redundant Site to Site VPNs

Rodrigo_Castell · ‎2018-04-19

Has anyone been able to set this up between Check Point and third party devices ? Its Palo Alto in this case. And I will be using different public IPs on local and remote peers.

Do I create a new community with the secondary Peer IP Address? Or add a gateway to the existing community ? What happens with routes (I added another route with higher metric for secondary IP peer)? How does Check Point disable the primary route so the secondary route kicks in if the primary VPN tunnel does down ?

I know Palo has something that monitors an IP and if it goes down it disables the primary interface so seconday kicks in. Im just wondering whats the best way to do this on my Check Point side.

Rodrigo_Castell · ‎2018-04-20

Its a work in progress, Im missing something.

On Check Point side, secondary IP added to the same community, added the secondary route for remote network to the routing table.

Palo Alto doing its thing with tunnel monitoring.

On testing (Logically bringing down the tunnel and/or physically disconnecting interface) ping is acting a bit strange giving timeouts, yet others services like https, snmp, etc. are working correctly.

PhoneBoy · ‎2018-04-20

Are you doing this as a domain-based VPN or route-based?

Route-based might be the better way to do it.

Rodrigo_Castell · ‎2018-04-20

Yep, Im using Route-Based.

Saad_Nizam · ‎2018-08-12

Is it possible to share your configuration on "secondary IP added to the same community" ? How was this done ?

I am trying to do this in on my environments, will be helpful.

Thnks

Rodrigo_Castell · ‎2018-08-14

Hi,

I added a new Interoperable Device to the existing VPN Community.

Lucas_Piris · ‎2018-08-19

Hi Rodrigo,

Do you need this VPN works was active/standby?

A few days, I tested a similar scenary with AWS using BGP, to keep all VPN´s UP, i created a PBR to destination IP of peer using the second gateway.

If you are using static route, do you need to create two routes using the peer ip tunnel (numbered) (not public) with priority, for example 1 for the primary tunnel and 2 for the second, for failover check de ping option on route.

And I added all interoperable devices in same community.

Lucas

Rodrigo_Castell · ‎2018-08-23

Hi, Im using static routes with different priority and no ping failover.

Blason_R · ‎2019-10-14

Did that work? I am trying to achieve the same thing with Frotigate firewalls and 5100 devices. What is the best solution then to achieve VPN Redundancy?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

Netmagic_SOC · ‎2019-02-20

Hi.

What is solution here for asked question?

mdjmcnally · ‎2019-10-15

I don't believe that an actual solution given/accepted as such however I believeif you configure a Route Based VPN and Ping the Remote VTI and then use Routes to give priority to 1 Tunnel over the other then should work looking at other solutions such as PurePort

https://help.pureport.com/support/solutions/articles/43000489357-vpn-config-guide-palo-alto-networks...

Very similar to the

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

for AWS but should work the same.

Make sure enable the DPD Support on the Check Point.

Blason_R · ‎2019-10-15

Or not sure if anyone has tried the redundancy with MEP in R80.30?

But I guess with dynamic protocol this can be very well achieved, right?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

Are you a member of CheckMates?

Redundant Site to Site VPNs