This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
adamec
Contributor
‎2024-02-07 01:46 AM

Creating route based VPN as a backup to L2 connectivity (MPLS?)

Hi guys,

currently we have two locations with two CheckPoint lcuster on each side. There is MPLS between them and we would like to create a route based VPN as a backup to the MPLS.

So far we have configured empty VPN domains, gateways (cluster) objects on each side, VPN community on each side, we created virtual tunnel interfaces for each gw and for clusters. We set priority for MPLS 1 and priority for VTI tunnel as 8.

after we installed the policy on remote site, checkPoint started IKE communication and started putting all communication into the non existing route based VPN tunnel. 

The question is, why did CheckPoint started sending all traffic to the non existing VPN tunnel even though VTI had lowest route priority possible.

We reverted changes and everything is working now.

Labels
0 Kudos
10 Replies
Gojira
Collaborator
Collaborator
‎2024-02-07 03:25 AM

I think this is the SK you need:

https://support.checkpoint.com/results/sk/sk56384

0 Kudos
adamec
Contributor
‎2024-02-07 04:09 AM
In response to Gojira

Hi,thanks. I will give it a try and will update you ASAP

0 Kudos
adamec
Contributor
‎2024-02-07 05:31 AM
In response to Gojira

Okay, we ran into a problem. Since we are hidden behing NAT we were using staticall NATed settings as we can see in the picture. But once we select Load sharing/high availability there is not any option to select IP of NAT.

Preview file
213 KB
0 Kudos
Gojira
Collaborator
Collaborator
‎2024-03-19 02:11 AM
In response to adamec

Maybe check with TAC to see what the options are?

0 Kudos
adamec
Contributor
‎2024-03-19 05:57 AM
In response to Gojira

Response from TAC:

After reviewing case details, it seems like configuration and setup issue. Just to clarify something on the issue, In TAC we are break/fix only and do not help in configuration.  As per case description, nothing seems to be broken on the environment, the best people we have available to help you with your issue will be the Professional Services. In order for design and configuration it needs to be with Professional Services, Diamond, or an SE.

 

0 Kudos
adamec
Contributor
‎2024-03-19 02:08 AM
In response to Gojira

This SK looks really good, except. We are NATed behind a perimeter router. There is no way to specify NATed IP if we go with "Use probing, link redundancy mode"

 

0 Kudos
AmirArama
Employee
Employee
‎2024-02-07 03:42 AM

Hi,
what do you mean by non existing?
you say that the GW has routed the traffic through the VTI, and not through the MPLS? did you verify that with packet capture? did you saw that the active route is indeed through the mpls? (show route clish command / 'route -n' in expert)
did you verify to have empty vpn domain configured on both sides?
in route based VPN, only the routes can "send the traffic to the vpn peer", so it must be something in the routes, unless you left domain based configuration which routed the traffic. (fw tab -t vpn_routing -u -f)

0 Kudos
adamec
Contributor
‎2024-02-07 04:18 AM
In response to AmirArama

Hi, we configured empty VPN domains on both sides. We added route to the routing table mpls priority 1 and vpn route priority 8.
We installed policy on one side only and it tried to initiate tunnel, IKE without any luck since other side did not have policy installed yet. And it started routing traffic through VTI but as long as tunnel was not up it dropped all traffic.

Is it understandable?

0 Kudos
AmirArama
Employee
Employee
‎2024-02-08 12:01 PM
In response to adamec

Yes i understand what you wrote. 
however, there is no reason for traffic to be routed towards VTI, unless the route table say so.
i would doublecheck it.

  1. verify the actual active route in the kernel ('route -n' for example) when you do that. (is it via vti or mpls?)
    1. maybe the mpls route wasn't active, was less specific than the vti route, or any other misconfiguration.
  2. verify that traffic is routed through mpls/vti by fw monitor.
    1. also by vpn tu conn - - - - - command (5 tupple, - for any) - it will show you if it's attempted encryption or not.
  3. verify your dst is not actually learned by the domain based somehow (fw tab -t vpn_routing -u -f  = make sure your dst isn't there)

if it's still not working, maybe open TAC to run kernel debug in order to investigate the routing decision.

p.s if you don't mind encrypt over the mpls as well, and if both VPN peers are managed by the same Security management, you can try our Quantum SD-WAN in order to create overlay network over both mpls & Internet lines.

Thanks

0 Kudos
adamec
Contributor
‎2024-03-19 02:20 AM
In response to AmirArama

We immediately needed to return to previous revision, as our bussiness requires remote system to be accessible all the time. We did not have time to troubleshoot. We are going to try this SK How To Create a Redundant, Service-based MPLS/Encrypted Link VPN (checkpoint.com) but unfortunatelly there is not NAT settings, since we are behind perimeter router that is NATing our communication we would need to configure thid NATed IP and tell VPN that what is it's public IP.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events