Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
handiansudianto
Advisor

Azure VPN site2site redundancy

Hello,

 

I have topology from our client to the azure like attached picture.

Two checkpoint run as standalone and i make CP-1 as main VPN site2site to azure and below the details :

  • Traffic from lan (10.103.248.xxx) to azure (10.201.xxx.xxx) by will be routed to CP1 by Core-1 and Core-2
  • VPN Site2site already establish/connected between azure and CP-1
  • Local Network Gateway on LNG-1 contain subnet 10.103.248.xxx and LNG-2 contain random subnet (i fill 192.168.1.xxx) this need for asymmetric routing between azure and LAN

When we have internet connection problem on CP-1 so i do :

  • Change routing from LAN to Azure via CP2 by by Core-1 and Core-2
  • VPN Site2site already establish/connected between azure and CP-2
  • Change LNG-1 from subnet 10.103.248.xxx to 192.168.1.xxx and LNG-2 changed  from 192.168.1.xxx to 10.103.248.xxx

With above condition we can failover traffic to azure manually, and with this thread i want to know anyone expert here have same scenario with me and can make the failover automatically?

My goal is  to make CP1 as Main VPN and will be failover to CP2 if CP1 have internet connection problem and fall back to CP1 again if the internet connection on CP1 back to online.

On Core switch side i can make IP SLA to check connection to azure via CP1 is down or not and make an script to re-route to CP2 if the connection is down, but i'm not sure what should i do on checkpoint and azure side.

I already tested if LNG1 and LNG2 contains subnet 10.103.248.xxx so the traffic is intermittent while on the on prem the traffic to azure should use CP1 because the traffic is not asymmetric.

0 Kudos
3 Replies
Chris_Atkinson
Employee Employee
Employee

Have you considered using Route-based VPNs (VTI) with BGP / dynamic routing?

CCSM R77/R80/ELITE
0 Kudos
handiansudianto
Advisor

Hi,

Have any article reference?

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Whilst sk176249 is for vWAN there is some commonality in the configuration.

I recall a guide was also previously posted here by a community member but for an older version:

https://community.checkpoint.com/t5/Security-Gateways/BGP-over-VPN-between-Azure-docx/m-p/38979?sear...

 

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events