This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Steven_Sultana
Contributor
3 weeks ago

About site-to-site VPN outgoing route selection

This is more of an academic question, rather than me having an issue I would like to solve.

 

There are 2 interesting settings in the "outgoing route selection" section of the "IPSec VPN > Link Selection" panel:

1. Setup: When responding to a remotely initiated tunnel, determine the outgoing interfacing using:

1.a. Use outgoing traffic configuration

1.b. Reply from the same interface

 

2. Source IP address settings: When initiating a tunnel user the following IP address as the source IP of outgoing packets:

2.a. Automatic (derived from method of IP selection be remote peer)

2.b. Selected address from topology table

2.c. IP address of chosen interface

 

In my opinion, the answer to these questions should always be 1.b. (it's always polite to face the person you are speaking to 😅) and 2.c. (or else the next hop might drop your packets, since the packets do not belong to the next-hop network).

 

Is my assumption wrong?

What are the scenarios when these configurations are counter-productive?

Preview file
32 KB
0 Kudos
7 Replies
Vincent_Bacher
Leader Leader
Leader
3 weeks ago

What’s about use cases like multiple external interfaces, using SD-WAN or pbr? Does the assumption still apply on all ?

Perhaps someone has the time and inclination to run through the scenarios; I have to go to bed. Two more working days, then it's holiday time.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
Steven_Sultana
Contributor
3 weeks ago
In response to Vincent_Bacher

Holiday time is when these weird questions come to my mind!

But good point - main use case is multiple external interfaces, probably with multiple 3rd party (or tbf even managed CP) gateways which may need to connect to different external interfaces for a variety of reasons.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
3 weeks ago
In response to Steven_Sultana

I just checked one of our clients that uses ISPR and the setting is set to link redundancy mode-> HA, then you choose main link.

This is what help section indicates:

Outgoing Route Selection
◦When Initiating a Tunnel Operating system routing table - Using this method, the routing table is consulted for the link with the lowest metric (highest priority) to send traffic.
Route based probing - This method also consults the routing table for the link with the lowest metric. However, before choosing a link to send traffic, all routing possibilities are examined to check that the link is active. The gateway then selects the best match (highest prefix length) active route with the lowest metric, and hence the highest priority. This method is recommended when there is more than one external interface.

 

 

Automatic (derived from the method of IP selection by remote peer) - The source IP address of outgoing traffic is derived from the method selected in the IP Selection by Remote Peer section.
◦If Main address or Selected address from topology table are selected in the IP Selection by Remote Peer section, then the source IP when initiating a VPN tunnel is the IP specified for that method.
◦If Calculate IP based on network topology, Statically NATed IP, Use DNS resolving or Use a probing method is chosen in the IP Selection by Remote Peer section, then the source IP when initiating a VPN tunnel is the IP address of the chosen outgoing interface.
◦Manual:
◦Main IP address - The source IP is derived from the General Properties page of the gateway.
◦Selected address from topology table - The chosen IP from the drop down menu becomes the source IP.
◦IP address of chosen interface - The source IP is the same IP of the interface where the traffic is being routed through.

Best,
Andy
0 Kudos
AmirArama
Employee
Employee
3 weeks ago
In response to Vincent_Bacher

Quantum SD-WAN ignores all Link selection settings

0 Kudos
Steven_Sultana
Contributor
3 weeks ago
In response to AmirArama

This is a great point to mention, thank you Amir. So when doing VPN orchestration between Checkpoint Gateways which are centrally managed and which all have and SD-WAN license, SD-WAN ignores all Link selection settings for those relevant gateways.

However, if one of those Checkpoint gateways has a VPN tunnel to another centrally Managed Checkpoint Gateway without SD-WAN license, or to a 3rd party gateway, I imagine that Link selection takes effect. Is this correct?

0 Kudos
AmirArama
Employee
Employee
3 weeks ago
In response to Steven_Sultana

Correct.
*it's less a matter of license, but if SD-WAN policy is installed on the gateway.

0 Kudos
Steven_Sultana
Contributor
3 weeks ago

Thank you Amir for the clarification! Yes, "policy" is more precise than "license" in this case.

And thank you Andy for the reference to Docs and for sharing your experience.

I'm very curious to meet someone who had 1.b or 2.c and had to move away from them due to issues being caused "in the wild."

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events