Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Pavan_Kumar
Contributor
Jump to solution

CheckPoint Route Based VPN and Failover using Tunnel IP Monitoring

Hi, I trying to achieve vpn redundancy in route based vpn method. Attached the steps I followed to achieve it. It would be helpful if someone from checkpoint verify the configuration and let me know whether the steps are recommended or not. If not, what needs to be changed?

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

The remote encryption domain should also be defined as empty.
Then this configuration should work (subject to your routing configuration).
Otherwise, I think SmartConsole may throw an error related to overlapping encryption domains.

View solution in original post

(1)
6 Replies
PhoneBoy
Admin
Admin

Usually it's a dynamic routing protocol that's used for redundancy in this case.
Never seen it done with IP Monitoring...not even sure it works.
Have you tested in the lab?

0 Kudos
Pavan_Kumar
Contributor

yes.. I have tested it in lab, failover is happening once the link monitor fails and traffic will switch over to secondary vpn within few seconds..

Link monitor concept generally used in other vendors for vpn redundancy between on-premise firewall and AWS/Azure using static routing.. I just tested it on checkpoint and its working..

I would like to know,

is vpn redundancy on checkpoint achievable only by keeping "Empty Group" on VPN domain, either its dynamic routing or static routing with link monitor?

OR

is vpn redundancy on checkpoint can also be achievable by keeping "Specific Network" on VPN domain without using MEP? 

Because my customer needs vpn redundancy, but they are concerned about using "Empty Group" on vpn domain..

0 Kudos
PhoneBoy
Admin
Admin

To use Route-Based VPNs, you typically use an empty encryption domain.
If you have to mix the two on the same gateway, be mindful of the following restrictions: https://support.checkpoint.com/results/sk/sk109340
As to whether your route monitoring will work with a Domain-Based VPN...can't say.

0 Kudos
Pavan_Kumar
Contributor

I went through the article and understood if the same encryption domain is used for both route based and domain based vpn, the domain based vpn will take precedence and traffic always routed via domain based vpn.

 

Also I understood its suggested to use empty encryption domain for route based vpn.

 

My customer wanted to know, What will be the behavior/impact if same encryption domain(specific IP/network) is  used for two route based vpn?

(10.0.0.1) Gateway-1 >>> Route based VPN >>> Gateway-2 (20.0.0.1) VPN community-1

(10.0.0.1) Gateway-1 >>> Route based VPN >>> Gateway-4 (20.0.0.1) VPN community-1

0 Kudos
PhoneBoy
Admin
Admin

The remote encryption domain should also be defined as empty.
Then this configuration should work (subject to your routing configuration).
Otherwise, I think SmartConsole may throw an error related to overlapping encryption domains.

(1)
Pavan_Kumar
Contributor

Got it.. Thanks..

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events