This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Pavan_Kumar
Contributor
‎2023-10-27 09:27 AM
Jump to solution

CheckPoint Route Based VPN and Failover using Tunnel IP Monitoring

Hi, I trying to achieve vpn redundancy in route based vpn method. Attached the steps I followed to achieve it. It would be helpful if someone from checkpoint verify the configuration and let me know whether the steps are recommended or not. If not, what needs to be changed?

Preview file
2011 KB
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-11-01 11:13 AM
In response to Pavan_Kumar
Jump to solution

The remote encryption domain should also be defined as empty.
Then this configuration should work (subject to your routing configuration).
Otherwise, I think SmartConsole may throw an error related to overlapping encryption domains.

View solution in original post

(1)
6 Replies
PhoneBoy
Admin
Admin
‎2023-10-30 02:11 PM
Jump to solution

Usually it's a dynamic routing protocol that's used for redundancy in this case.
Never seen it done with IP Monitoring...not even sure it works.
Have you tested in the lab?

0 Kudos
Pavan_Kumar
Contributor
‎2023-10-30 10:00 PM
In response to PhoneBoy
Jump to solution

yes.. I have tested it in lab, failover is happening once the link monitor fails and traffic will switch over to secondary vpn within few seconds..

Link monitor concept generally used in other vendors for vpn redundancy between on-premise firewall and AWS/Azure using static routing.. I just tested it on checkpoint and its working..

I would like to know,

is vpn redundancy on checkpoint achievable only by keeping "Empty Group" on VPN domain, either its dynamic routing or static routing with link monitor?

OR

is vpn redundancy on checkpoint can also be achievable by keeping "Specific Network" on VPN domain without using MEP? 

Because my customer needs vpn redundancy, but they are concerned about using "Empty Group" on vpn domain..

0 Kudos
PhoneBoy
Admin
Admin
‎2023-10-31 03:53 PM
In response to Pavan_Kumar
Jump to solution

To use Route-Based VPNs, you typically use an empty encryption domain.
If you have to mix the two on the same gateway, be mindful of the following restrictions: https://support.checkpoint.com/results/sk/sk109340
As to whether your route monitoring will work with a Domain-Based VPN...can't say.

0 Kudos
Pavan_Kumar
Contributor
‎2023-11-01 07:29 AM
In response to PhoneBoy
Jump to solution

I went through the article and understood if the same encryption domain is used for both route based and domain based vpn, the domain based vpn will take precedence and traffic always routed via domain based vpn.

 

Also I understood its suggested to use empty encryption domain for route based vpn.

 

My customer wanted to know, What will be the behavior/impact if same encryption domain(specific IP/network) is  used for two route based vpn?

(10.0.0.1) Gateway-1 >>> Route based VPN >>> Gateway-2 (20.0.0.1) VPN community-1

(10.0.0.1) Gateway-1 >>> Route based VPN >>> Gateway-4 (20.0.0.1) VPN community-1

0 Kudos
PhoneBoy
Admin
Admin
‎2023-11-01 11:13 AM
In response to Pavan_Kumar
Jump to solution

The remote encryption domain should also be defined as empty.
Then this configuration should work (subject to your routing configuration).
Otherwise, I think SmartConsole may throw an error related to overlapping encryption domains.

(1)
Pavan_Kumar
Contributor
‎2023-11-02 04:55 AM
In response to PhoneBoy
Jump to solution

Got it.. Thanks..

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events