This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
CheckCheckM
Participant
‎2023-01-21 09:33 AM
Jump to solution

IPSec tunnel setup with ISP Redundancy at SMB appliance

Hello everyone,

Remote site, will have an appliance with one ISP. My sites has (two ISP at HA appliances), Target is to establish a VPN to the remote site using two ISP links from my side for redundancy.

if one isp fails from my site, automatically the tunnel will be established to the remote using another isp link.

i did not get any options exception from ha/loadbalancing connection type for remote site. Actually, i need to specify my site ISP links.

is there any options to setup? Thanks.

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend
Legend
‎2023-01-22 12:30 AM
Jump to solution

As you have different routable IPs from the ISPs, i would do HA ISP redundancy using 2 VPNs:

- ISP 1 with IP 1 is the default ISP for all traffic

- IP 1 builds VPN tunnel 1 to remote site

- ISP 2 with IP 2 is the HA ISP

- IP 2 builds VPN tunnel 2 to remote site

- only VPN 1 goes up !

This is the working config, until connection monitoring finds that ISP 1 is down:

- if ISP 1 goes down, VPN tunnel 1 goes down

- ISP 2 goes active, and now VPN tunnel 2 comes up

Routing works as both VPN tunnels can not be up together...

CCSE CCTE CCSM SMB Specialist

View solution in original post

(1)
4 Replies
PhoneBoy
Admin
Admin
‎2023-01-21 08:12 PM
Jump to solution

It doesn't create two tunnels (one with each ISP Link) but it will establish with whatever ISP is active.

0 Kudos
(1)
CheckCheckM
Participant
‎2023-01-21 09:40 PM
In response to PhoneBoy
Jump to solution

Hello  @PhoneBoy  you mean two internet ports will not working simultaneously?

SMB appliance has two internet ports, so i'm planning to use these two ports as one for user internet access and another one for ipsec tunnel.  thanks.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-23 08:35 AM
In response to CheckCheckM
Jump to solution

Yes, you can load balance between the two connections.
The only way I can see possibly forcing all traffic to the second ISP would be to have explicit routes defined for the remote encryption domain to go through the second ISP's nexthop only.

G_W_Albrecht
Legend
Legend
‎2023-01-22 12:30 AM
Jump to solution

As you have different routable IPs from the ISPs, i would do HA ISP redundancy using 2 VPNs:

- ISP 1 with IP 1 is the default ISP for all traffic

- IP 1 builds VPN tunnel 1 to remote site

- ISP 2 with IP 2 is the HA ISP

- IP 2 builds VPN tunnel 2 to remote site

- only VPN 1 goes up !

This is the working config, until connection monitoring finds that ISP 1 is down:

- if ISP 1 goes down, VPN tunnel 1 goes down

- ISP 2 goes active, and now VPN tunnel 2 comes up

Routing works as both VPN tunnels can not be up together...

CCSE CCTE CCSM SMB Specialist
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫