Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sandgirl
Contributor

High availability for VPN connections to two external gateways

Hi,

 

We have a VPN established between our Checkpoint cluster and a remote gateway. 

The owner of the remote gateway has asked if we could create an additional VPN tunnel to a secondary remote gateway, to set up high availability: VPN traffic only flows to the primary (original) remote gateway, unless the gateway becomes unreachable. If this happens, the traffic is to be flowing to a secondary (new) gateway. 

Is this possible to achieve? And if yes, how? 

Sandgirl

0 Kudos
30 Replies
PhoneBoy
Admin
Admin

You need to configure MEP (Multiple Entry Point) or a Route-Based VPN.
For MEP: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SitetoSiteVPN_AdminGuide/Top...

0 Kudos
Sandgirl
Contributor

Hi,

I'm not sure I was clear in my previous post. 
If I understand it correctly, MEP would be setting up redundancy on our end, so the remote gateway connects to either (our) primary gateway or (our) secondary gateway. 

 

What we need is a redundant connectivity from our cluster to two remote security gateways.

If the tunnel between our cluster and the primary remote gateway fails, then the traffic flows from our cluster to the secondary remote gateway (via the backup VPN tunnel). 

Regards,

Sandgirl

 

0 Kudos
the_rock
Legend
Legend

You are right about MEP @Sandgirl . If you want to achieve 2nd scenario, sounds like you may need some BGP config done, because if one VPN was to fail, unless routes match 100%, other one would never take over.

My colleague and I actually have call today with Azure support for similar question one of our customers had, as there are few things to consider. In this case, its related to xpress route, so say if prefix is the same, then xpress route is always preferred over VPN, but if say you have /24 over /23 prefix, bigger number prefix will always take presedence.

As fas as 2 VPN tunnels, your case might be a bit different though...

Andy

0 Kudos
Sandgirl
Contributor

What if I have two external gateways added in the same community? Will Checkpoint be sending the traffic to both gateways at the same time? And if one of the tunnels fail, the traffic will still go through the secondary tunnel? 

 

Regards,
Joanna

0 Kudos
the_rock
Legend
Legend

You mean if you have 1 community with 1 CP center gateway and 2 interoperable objects (external) as satellites? If so, I had never seen such scenario work in a failover.

Regards,

Andy

0 Kudos
Sandgirl
Contributor

How would the traffic flow if there was nothing wrong? Would the traffic flow to both gateways (through two tunnels)? Or would only one tunnel be used?

Regards,

Sandgirl 

0 Kudos
the_rock
Legend
Legend

Im thinking both, but not 100% sure, maybe someone else can confirm.

Andy

0 Kudos
Wolfgang
Authority
Authority

@Sandgirl follow my post and the mentioned knowledgebase article. You‘re needed configuration is shown there. 

0 Kudos
the_rock
Legend
Legend

As Phoneboy said, you need MEP, but it would be same vpn community.

Andy

0 Kudos
Wolfgang
Authority
Authority

@Sandgirl like @PhoneBoy said, MEP is your solution. MEP is supported with third party gateways at the remote site. The main difference to Check Points own RDP probing, you‘re remote gateways should support DeadPeerDetection DPD. Your gateway/cluster probes the remote gateways and if the primary is available this link will be used for your VPN. If primary is dead and the backup gateway answer via DPD the second link will be used for the VPN tunnel.

Configuration of MEP with third party will be tricky and needs a lot of knowledge at both sites. Have a look at the link mentioned by @PhoneBoy  and following knowledgebase article VPN redundancy does not work when establishing an IPsec VPN Tunnel with a third-party peer 

An example for vpn redundancy with zscaler can be seen here How to set up VPN between a Check Point Security Gateway and Zscaler ZIA Public Service Edge 

RalphLopez
Explorer

I had the same situation as @Sandgirl... Peer has two PaloAlto appliances with two different ISP links and IP addresses, and wants to setup redundant link to my Cluster with only one VIP and internet connection. I had no idea I could set third party gateways to be the center in MEP setup and I'm just the remote.

Will give this a try if they are good with the configuration on the other side.

Thanks so much!

0 Kudos
the_rock
Legend
Legend

You can do that, BUT, I still dont believe failover would work that way either.

Andy

0 Kudos
Wolfgang
Authority
Authority

@RalphLopez  follow my post. The solution for a redundant VPN with third party gateways could be found in the mentioned article.

0 Kudos
the_rock
Legend
Legend

Its all great in theory, but it does not really work. Not sure if anyone made it work, but I was with customer once on the phone for 7 hours trying to do so and after talking to many T3s, escalation people, seems like they gave up on it and we just left it alone.

Andy

0 Kudos
Sandgirl
Contributor

At the moment our gateways have only one external IP, which is a cluster IP. It's the remote peer that has two reachable IPs. 

The third party now says that we need to set up VTIs on our end, but will this work since we have a cluster rather than the single gateway? 

Regards,
Sandgirl

0 Kudos
PhoneBoy
Admin
Admin

Yes, and you can either use unnumbered VTIs or numbered VTIs using private addresses.

0 Kudos
Sandgirl
Contributor

So, if I do the following:


Create one VPN community with both external gateways as remote peers

Add two unnumbered VTIs pointing to one external gateway each

Create a static route in Gaia portal pointing to VT1 with priority 1 and VTI2 with priority 2

Add a security rule with the new community in the VPN section

Would that be enough? 

PhoneBoy
Admin
Admin

That sounds about right, though with VTIs, you should have an empty encryption domain.

0 Kudos
the_rock
Legend
Legend

Thats right to me. I will send you link later or tomorrow where I gave aone info on how to do this.

Happy new year!

Best,

Andy

0 Kudos
the_rock
Legend
Legend

0 Kudos
Sandgirl
Contributor

So in the end I managed to get it working... kind of. 

After getting some help from the third party I was able to set it up with numbered VTIs and static routes in the test environment. Everything worked, including failover. 

However, when I tried to set it up exactly the same way in the production environment, I hit issues with the IP reachability. 
I set the routes with the gateway being an IP of the VTI on the other end. IP reachability kept failing. 
I have unticked the 'ping' option in one of the routes, meaning that the IP reachability for this route would be off. And, somehow, this caused the VTI on the other end to be reachable, and all the routes (including the one with IP reachability enabled) to be inserted into the routing table... but only for maybe half a minute. After that, it was failing again. The same thing happened when I added the remote VTI IPs into the IP reachability section of the Gaia UI. It worked for a bit, then it stopped. It's like the connection was spiked when I made the changes, and then it went down again. 

Anybody experienced anything similar? 

0 Kudos
Blason_R
Leader
Leader

I totally agree with you @the_rock  and this has been a pain since beginning and it works in theory but in practical you get frustration and nothing else. I eventually developed my own vpn solution based on vyatta and strongswan and it work charm. I eventually have moved my customers to this one and not a single issue after that. 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
the_rock
Legend
Legend

Excellent point @Blason_R 

0 Kudos
CheckPointerXL
Advisor
Advisor

If i understand correctly, MEP is not relevant here

You need route based with dynamic routing or static routing+probing next hop

0 Kudos
Cristian_F_CCSM
Contributor
Contributor

Yes, I confirm, MEP isn't the best solution about the original request.

The solution is to have two interoperable VPN device, two VPNT and eBGP.

Regards.

0 Kudos
Sandgirl
Contributor

At the moment our gateways have only one external IP, which is a cluster IP. It's the remote peer that has two reachable IPs. 

The third party now says that we need to set up VTIs on our end, but will this work since we have a cluster rather than the single gateway? 

Regards,
Sandgirl

0 Kudos
JoSec
Collaborator

I have done this with a route based VPN to AWS using BGP and 2 tunnels and it works great. I have also set this up with a third party and it worked as well but I had to utilize route priorities and monitoring since I could not utilize BGP to a public IP in R80.40 which I believe is now available in R81.10.

0 Kudos
CheckPointerXL
Advisor
Advisor

Hey Joe, how aws is advertising routes to you to avoid asymmetric routing?

I guess backup tunnel advertise, for example, 192.168.0.0/24 and primary tunnel 192.168.0.0/25 and 192.168.0.128/25, right?

Is possible on aws side? I have to set it up shortly

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events