Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Duminda_lakmal
Participant
Jump to solution

Change current critical production VPN configuration change > Link selection

Hi, 

Need clear understanding to change live critical VPN configuration. 

My requirement is we have 28 Live VPNs on Checkpoint Gateway. with one ISP provider. link selection we have configured checkpoint cluster-related VIP on link selection in a select address on the topology table option. 

Now we have a new requirement we have to create a new VPN tunnel using another ISP link (NEW), based on our configuration this will not work because the link will select based on our previous configuration (Link selection). 

1. Does anyone have a clear idea of how can we change this without major downtimes? 

2. How technically work " Calculate IP Based on network topology" in link selection options, do we need to enable ISP redundancy for this requirement? 

 

Thank you,

Duminda Lakmal.

0 Kudos
1 Solution

Accepted Solutions
Duane_Toler
Advisor

If you have multiple external interfaces and uplinks and need 3rd party VPN to work with different uplinks (pre-shared key), then you need sk173048:

 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

In Link Selection, the first option can remain at "Main Address".  For Outgoing link, choose "based on routing decision". For "When responding..." option, choose "reply from same interface".

On the gateways, set static route to the external gateway out whichever interface link.

Setting this registry does require a cpstop;cpstart.  You can do it on one cluster member at a time, however, with no outage.

 

View solution in original post

0 Kudos
6 Replies
_Val_
Admin
Admin

An answer depends on many things. One VPN community or multiple? Can you have two ISP links up at the same time? Those 28 remote GWs, who is managing them?

0 Kudos
Duminda_lakmal
Participant

Hi Val, currently we have 28 communities, but we are not touching those communities. those will be running with an existing WAN link, without any changes, those remote peers not manage us. 

We have a new ISP link it was not connected to the checkpoint yet. once this link configuration is clarified we are planning to lay cables and configurations. and we need to create a new VPN community by connecting mentioned new ISP WAN connection. 

what will happen if we are creating a static route to mentioned new Peer GW through mentioned NEW IPS link (our default route will still remain and not impact current connections). and set the gateway configuration, > link selection > set - Calculate IP Based on network topology. what are the impact when we do this? kindly help me,

I cannot find the guide for like these configurations.  

Thank you,

Duminda Lakmal

0 Kudos
PhoneBoy
Admin
Admin

ISP Redundancy is only needed if you are changing the default route for ALL traffic.
If you're just routing traffic for a specific VPN out a specific interface to go out a different ISP, all that's really needed is static routes on the gateway for the relevant VPN subnets to point to the nexthop IP of the other ISP.

0 Kudos
Duminda_lakmal
Participant

Hi, 

Thank you so much for the advice. kindly advise what happen we set the: gateway configuration, > link selection > set - Calculate IP Based on network topology options with static routes? 

0 Kudos
Duane_Toler
Advisor

If you have multiple external interfaces and uplinks and need 3rd party VPN to work with different uplinks (pre-shared key), then you need sk173048:

 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

In Link Selection, the first option can remain at "Main Address".  For Outgoing link, choose "based on routing decision". For "When responding..." option, choose "reply from same interface".

On the gateways, set static route to the external gateway out whichever interface link.

Setting this registry does require a cpstop;cpstart.  You can do it on one cluster member at a time, however, with no outage.

 

0 Kudos
the_rock
Legend
Legend

Keep in mind that even if you are using ISP redundancy, if one link fails, VPN tunnels will never get reestablished, as other end will never know about "new" external IP address.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_NextGenSecurityGateway_Guide/Topic...

Though based on what it says on top of that link, its not 100% clear, maybe someone else can confirm:

Note - ISP Redundancy settings override the VPN Link Selection settings.

When ISP Redundancy is enabled, VPN encrypted connections survive a failure of an ISP link.

The settings in the ISP Redundancy page override settings in the IPsec VPN > Link Selection page

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events