This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
CheckCheckM
Participant
‎2023-01-21 09:33 AM
Jump to solution

IPSec tunnel setup with ISP Redundancy at SMB appliance

Hello everyone,

Remote site, will have an appliance with one ISP. My sites has (two ISP at HA appliances), Target is to establish a VPN to the remote site using two ISP links from my side for redundancy.

if one isp fails from my site, automatically the tunnel will be established to the remote using another isp link.

i did not get any options exception from ha/loadbalancing connection type for remote site. Actually, i need to specify my site ISP links.

is there any options to setup? Thanks.

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-01-22 12:30 AM
Jump to solution

As you have different routable IPs from the ISPs, i would do HA ISP redundancy using 2 VPNs:

- ISP 1 with IP 1 is the default ISP for all traffic

- IP 1 builds VPN tunnel 1 to remote site

- ISP 2 with IP 2 is the HA ISP

- IP 2 builds VPN tunnel 2 to remote site

- only VPN 1 goes up !

This is the working config, until connection monitoring finds that ISP 1 is down:

- if ISP 1 goes down, VPN tunnel 1 goes down

- ISP 2 goes active, and now VPN tunnel 2 comes up

Routing works as both VPN tunnels can not be up together...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

(1)
8 Replies
PhoneBoy
Admin
Admin
‎2023-01-21 08:12 PM
Jump to solution

It doesn't create two tunnels (one with each ISP Link) but it will establish with whatever ISP is active.

0 Kudos
(1)
CheckCheckM
Participant
‎2023-01-21 09:40 PM
In response to PhoneBoy
Jump to solution

Hello  @PhoneBoy  you mean two internet ports will not working simultaneously?

SMB appliance has two internet ports, so i'm planning to use these two ports as one for user internet access and another one for ipsec tunnel.  thanks.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-23 08:35 AM
In response to CheckCheckM
Jump to solution

Yes, you can load balance between the two connections.
The only way I can see possibly forcing all traffic to the second ISP would be to have explicit routes defined for the remote encryption domain to go through the second ISP's nexthop only.

G_W_Albrecht
MVP Silver
MVP Silver
‎2023-01-22 12:30 AM
Jump to solution

As you have different routable IPs from the ISPs, i would do HA ISP redundancy using 2 VPNs:

- ISP 1 with IP 1 is the default ISP for all traffic

- IP 1 builds VPN tunnel 1 to remote site

- ISP 2 with IP 2 is the HA ISP

- IP 2 builds VPN tunnel 2 to remote site

- only VPN 1 goes up !

This is the working config, until connection monitoring finds that ISP 1 is down:

- if ISP 1 goes down, VPN tunnel 1 goes down

- ISP 2 goes active, and now VPN tunnel 2 comes up

Routing works as both VPN tunnels can not be up together...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
(1)
starmen2000
Advisor
Advisor
‎2023-08-18 03:48 PM
In response to G_W_Albrecht
Jump to solution

But in that case, how the line change from vpn1 to vpn2 automatically, if vpn1 is down? How can I configure it? On smartconsole or on webui of SMB?

0 Kudos
CheckCheckM
Participant
‎2023-08-19 06:38 AM
In response to starmen2000
Jump to solution

is your vpn remote site is different? or same remote site with different source WAN links? scenario pls. SMB is limitation based on scenario as my experience.

0 Kudos
starmen2000
Advisor
Advisor
‎2023-08-20 05:41 PM
In response to CheckCheckM
Jump to solution

It is wan site with 2 different wan interfaces. Both of interfaces are going to establish site to Site vpn with headquarter. If one wan interface goes down (vpn1 is down), traffic is going through vpn2 ( wan Interface 2).

0 Kudos
CheckCheckM
Participant
‎2023-08-21 08:31 AM
In response to starmen2000
Jump to solution

If you have two wan interfaces which is tunneling to HO-site, you do not need to do any special configuration for tunnel failover. Because only one active default route with WAN link which has low priority will establish to HO-site. When current WAN link is failed, another default route with WAN link which has high priority WAN link will be active and tunnel will go with it.

 

(i'm just checkpoint SMB admin, not specialist)

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events