Also, overlay can be used instead of loopback, so say if router ID is 169.254.241.1, peers can be say 169.254.100.254 and 200.254, that works fine. For some reason, though tunnels are up, on CP side they dont show as permanent, just regular, so we will look into it.

Andy

Hey guys,

Wanted to update with something else my colleague and I discovered. So, I will give an example we used and this is with numbered vti's, since we did not want to spend too much time with troubleshooting why unnumbered did not work, plus we are not even sure its supported 🙂

Exampled:

loopback interface:

router ID 169.254.241.1

local as 65000

remote as 65001

peer 1 -> 169.254.100.254

peer 2 -> 169.254.200.254

fw1:

vti 1 -> 169.254.100.2

vt1 2 -> 169.254.200.2

vip 169.254.100.1 and 169.254.200.1

fw2:

vti 1 -> 169.254.100.3

vti2 -> 169.254.200.3

vip 169.254.100.1 and 200.1 (same as fw1)

overlay ID:

same settings, except, in sase portal, you would use for tunnel 1 sase IP as 169.254.100.254 and local ip as 169.254.100.1 (200.254 and 200.1 for tunnel 2)

If using loopback interface method, then you would use say 169.254.241.1 and say .254 for sase for tunnel 1 and then say 240.1 and 240.354 for tunnel 2 (like what I had in the document)

Now, here is the catch. If using OVERLAY id method, tunnels will show as PERMANENT from sase, but not from Check Point, which is not a big deal, as BGP is exchanged and its constantly checking the loopback ip anyway. Plus, they are set as permanent tunnels in community, just show as regular in sv monitor. if you use loopback interface method, they show as permanent.

Difference is, if using overlay ID, then tunnel is terminated on tunnel interface, rather than loopback one. 

This is somewhat similar for Forti SASE (Fortinet solution), Prisma (PAN sase) and Aruba Axis is definitely more simple setup, as it uses connectors method. I assume its same for Cisco Connect, but since I had never seen it, cant really say 🙂

If anything else comes to mind and we end up testing, will update.

Best,

Andy