Checkpoint site to site VPN to Sonicwall (Sonicwal...

HighTech · ‎2024-08-21

Hi Geeks!

Is it possible to have VPN redundancy between Checkpoint and 3rd party gateway having two WAN IPs. I have the following use case (Diagram attached):

Checkpoint cluster r81.40 with one ISP link
Sonicwall firewall with two ISP links
VPN domain based is already established between CP and Sonicwall WAN1 link
Sonicwall is configured for VPN redundancy through both WAN links

Is there a way to configure CP to use tunnel through WAN1 as primary and tunnel through WAN2 as secondary link for the VPN ?

Thanks in advance!

the_rock · ‎2024-08-22

Thanks for the details explanation, makes it way easier to help @HighTech , fantastic job!

Now, here is my "reckoning" for the lack of a better term lol

So, logically, Im fairly sure you can do this, but you need to make sure link selection is configured properly. So, in your case, since CP has only 1 link, tunnels would always "terminate" on same external IP. Now, technically, since Sonicwall has 2 ISP links, you really would need to have 2 separate VPN tunnels. In that case, Im thinking link selection could look something like below...

Let me know if that makes sense. If not, we can do remote and go through it, if you are allowed to.

Andy

the_rock · ‎2024-08-22

One other thing I thought of...see, on CP side, you can only really choose the IP of the interoperable object (in this case Sonicwall) by setting the right address in smart console for the object itself, NOT via link selection, thats more for Check Point fw (cluster). Having said that, thats why Im thinking having 2 tunnels would make most sense, to me anyway. But, lets see what other boys and girls have to say 🙂

Andy

HighTech · ‎2024-08-22

Hi @the_rock ,

Thanks for your feedback! I am thinking of having two tunnels too (add two gateways aka interoperable devices as sattelite gateways in the same community), it seems so logical. However, in case of the two peer IPs being UP, how will CP know what tunnel to use for the VPN traffic since both gateways have the same encryption domain ?

Thank you.

the_rock · ‎2024-08-22

You are 100% right, agree...but, Im thinking it may make more sense to have say 2 separate vpn tunnels, but then one way to do it would be to either disable vpn rule for 2nd tunnel OR take out interoperable object out of 2nd vpn community, so only 1st one would be operational.

But then again, if 1st one fails, failover would not be automatic, as you would need to add interoperable object into 2nd community manually.

Anywho, lets see what others say, hopefully there is better way...

Andy

HighTech · ‎2024-08-22

So that means there is no way to have the failover automatic just like other firewalls.. (Cisco ASA, fortigate..)

the_rock · ‎2024-08-22

Im not aware of an easy way myself, or any way for that matter, but maybe someone else is...lets see.

Andy

the_rock · ‎2024-08-22

Personally, just to get an official statement, might be worth TAC case.

Andy

Alex- · ‎2024-08-22

Use Route-based VPN instead of Domain-based VPN for more control.

the_rock · ‎2024-08-22

Not sure @Alex- that would change automatic failover scenario @HighTech wants to achieve.

Andy

Are you a member of CheckMates?

Checkpoint site to site VPN to Sonicwall (Sonicwall has two ISP links)