This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Isaac_Hamann
Explorer
‎2018-07-13 12:33 PM

Having multiple External addresses for IPsec

I have a 4000 series appliance on r77.30 that is our externally facing gateway.

Our ISP is forcing us change all of our public IP addresses (yay me).

We have quite a few IPsec tunnels for vendors, remote locations, etc... 

I'd like to find a way to simultaneously use both the old address and the new one for IPsec so that I can transition the tunnels one-by-one and not update every vendor simultaneously. In time, I could remove the old address entirely.

I have an external interface configured with the new address and it is able to ping externally.

Here's a breakdown:

1.1.1.1 - current address for IPsec

2.2.2.2 - new address that will be for IPsec

Tunnel 1- vendor ABC

Tunnel 2- vendor XYZ

Current setup-

Tunnels 1 and 2 are pointed at 1.1.1.1

Desired setup- 

Tunnel 1 -> pointed at 1.1.1.1

Tunnel 2 -> pointed at 2.2.2.2

Both tunnels running simultaneously without interruption.

This is a live environment so the lower the impact, the better.

Any advice is appreciated...

Thanks! 

0 Kudos
7 Replies
_Val_
Admin
Admin
‎2018-07-14 10:20 AM

CP support multiple external interfaces for both VPN and cleat text traffic, look for ISP redundancy articles. Maintaining multiple S2S IPSec tunnels on both external interfaces is possible, but require some additional efforts to configure. The working solution should be a route-based VPN. To start looking into this, go to sk35560. 

However, there is a caveat.

I assume you are using a simplified Domain Based S2S VPNs, and the remote VPN GWs are under someone else's management. In such a case I would strongly advise you to consider alternative IP migration scenarios, as moving from a Domain Based to Route Based VPN (VTIs or not) will only add complexity to your environment. In case you are not managing the remote GWs in the tunnels, you will also have to ask your VPN partners to reconfigure their sides.

kamalive
Explorer
‎2019-06-03 11:43 AM

I find myself in the same situation. How did you end up going about it if I may ask?

0 Kudos
Florin_Dumitru
Participant
‎2019-07-25 12:04 AM

Have you found a solution? If yes, can you share it?

Capita_Network_
Explorer
‎2019-09-23 08:47 AM
In response to Florin_Dumitru

Did anyone get a solution to this issue, can you please share ?

Florin_Dumitru
Participant
‎2023-03-07 08:54 PM
In response to Capita_Network_

I forgot to reply to the post, but I did find a solution that has been in use for a couple of years now.

Basically, I got a 1590 (with LTE) connected to the Internet via 4G (LTE interface - dynamic IP) and via WAN (DHCP) to a broadband satellite (almost fixed IP) - two different ISP's. Each external interface has an IPSEC tunnel to a different company. Over the 4G interface I've setup a certificate based VPN (dynamic IP) as it was the only way to do it (plus I manage both ends of the tunnel) and over the WAN interface a regular IPSEC VPN. Both are domain based VPN's. PBR was also necessary.

0 Kudos
vivekumar1988
Participant
‎2022-02-17 03:39 PM

Hi , Did anyone got the working solution for this ?  2 different IPSEC tunnel for 2 different customer over 2 different outgoing/ External interfaces  ??? 

 

IvoryHoward
Explorer
‎2022-02-18 12:31 PM

hello! I need the solution 

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top