- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: High availability for VPN connections to two e...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
High availability for VPN connections to two external gateways
Hi,
We have a VPN established between our Checkpoint cluster and a remote gateway.
The owner of the remote gateway has asked if we could create an additional VPN tunnel to a secondary remote gateway, to set up high availability: VPN traffic only flows to the primary (original) remote gateway, unless the gateway becomes unreachable. If this happens, the traffic is to be flowing to a secondary (new) gateway.
Is this possible to achieve? And if yes, how?
Sandgirl
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to configure MEP (Multiple Entry Point) or a Route-Based VPN.
For MEP: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SitetoSiteVPN_AdminGuide/Top...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm not sure I was clear in my previous post.
If I understand it correctly, MEP would be setting up redundancy on our end, so the remote gateway connects to either (our) primary gateway or (our) secondary gateway.
What we need is a redundant connectivity from our cluster to two remote security gateways.
If the tunnel between our cluster and the primary remote gateway fails, then the traffic flows from our cluster to the secondary remote gateway (via the backup VPN tunnel).
Regards,
Sandgirl
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are right about MEP @Sandgirl . If you want to achieve 2nd scenario, sounds like you may need some BGP config done, because if one VPN was to fail, unless routes match 100%, other one would never take over.
My colleague and I actually have call today with Azure support for similar question one of our customers had, as there are few things to consider. In this case, its related to xpress route, so say if prefix is the same, then xpress route is always preferred over VPN, but if say you have /24 over /23 prefix, bigger number prefix will always take presedence.
As fas as 2 VPN tunnels, your case might be a bit different though...
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What if I have two external gateways added in the same community? Will Checkpoint be sending the traffic to both gateways at the same time? And if one of the tunnels fail, the traffic will still go through the secondary tunnel?
Regards,
Joanna
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You mean if you have 1 community with 1 CP center gateway and 2 interoperable objects (external) as satellites? If so, I had never seen such scenario work in a failover.
Regards,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How would the traffic flow if there was nothing wrong? Would the traffic flow to both gateways (through two tunnels)? Or would only one tunnel be used?
Regards,
Sandgirl
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Im thinking both, but not 100% sure, maybe someone else can confirm.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Sandgirl follow my post and the mentioned knowledgebase article. You‘re needed configuration is shown there.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
https://support.checkpoint.com/results/sk/sk76281
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As Phoneboy said, you need MEP, but it would be same vpn community.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Sandgirl like @PhoneBoy said, MEP is your solution. MEP is supported with third party gateways at the remote site. The main difference to Check Points own RDP probing, you‘re remote gateways should support DeadPeerDetection DPD. Your gateway/cluster probes the remote gateways and if the primary is available this link will be used for your VPN. If primary is dead and the backup gateway answer via DPD the second link will be used for the VPN tunnel.
Configuration of MEP with third party will be tricky and needs a lot of knowledge at both sites. Have a look at the link mentioned by @PhoneBoy and following knowledgebase article VPN redundancy does not work when establishing an IPsec VPN Tunnel with a third-party peer
An example for vpn redundancy with zscaler can be seen here How to set up VPN between a Check Point Security Gateway and Zscaler ZIA Public Service Edge
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had the same situation as @Sandgirl... Peer has two PaloAlto appliances with two different ISP links and IP addresses, and wants to setup redundant link to my Cluster with only one VIP and internet connection. I had no idea I could set third party gateways to be the center in MEP setup and I'm just the remote.
Will give this a try if they are good with the configuration on the other side.
Thanks so much!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can do that, BUT, I still dont believe failover would work that way either.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@RalphLopez follow my post. The solution for a redundant VPN with third party gateways could be found in the mentioned article.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Its all great in theory, but it does not really work. Not sure if anyone made it work, but I was with customer once on the phone for 7 hours trying to do so and after talking to many T3s, escalation people, seems like they gave up on it and we just left it alone.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
At the moment our gateways have only one external IP, which is a cluster IP. It's the remote peer that has two reachable IPs.
The third party now says that we need to set up VTIs on our end, but will this work since we have a cluster rather than the single gateway?
Regards,
Sandgirl
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, and you can either use unnumbered VTIs or numbered VTIs using private addresses.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, if I do the following:
Create one VPN community with both external gateways as remote peers
Add two unnumbered VTIs pointing to one external gateway each
Create a static route in Gaia portal pointing to VT1 with priority 1 and VTI2 with priority 2
Add a security rule with the new community in the VPN section
Would that be enough?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That sounds about right, though with VTIs, you should have an empty encryption domain.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thats right to me. I will send you link later or tomorrow where I gave aone info on how to do this.
Happy new year!
Best,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is the link I was referring to.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So in the end I managed to get it working... kind of.
After getting some help from the third party I was able to set it up with numbered VTIs and static routes in the test environment. Everything worked, including failover.
However, when I tried to set it up exactly the same way in the production environment, I hit issues with the IP reachability.
I set the routes with the gateway being an IP of the VTI on the other end. IP reachability kept failing.
I have unticked the 'ping' option in one of the routes, meaning that the IP reachability for this route would be off. And, somehow, this caused the VTI on the other end to be reachable, and all the routes (including the one with IP reachability enabled) to be inserted into the routing table... but only for maybe half a minute. After that, it was failing again. The same thing happened when I added the remote VTI IPs into the IP reachability section of the Gaia UI. It worked for a bit, then it stopped. It's like the connection was spiked when I made the changes, and then it went down again.
Anybody experienced anything similar?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I totally agree with you @the_rock and this has been a pain since beginning and it works in theory but in practical you get frustration and nothing else. I eventually developed my own vpn solution based on vyatta and strongswan and it work charm. I eventually have moved my customers to this one and not a single issue after that.
Blason R
CCSA,CCSE,CCCS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Excellent point @Blason_R
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If i understand correctly, MEP is not relevant here
You need route based with dynamic routing or static routing+probing next hop
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I confirm, MEP isn't the best solution about the original request.
The solution is to have two interoperable VPN device, two VPNT and eBGP.
Regards.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
At the moment our gateways have only one external IP, which is a cluster IP. It's the remote peer that has two reachable IPs.
The third party now says that we need to set up VTIs on our end, but will this work since we have a cluster rather than the single gateway?
Regards,
Sandgirl
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have done this with a route based VPN to AWS using BGP and 2 tunnels and it works great. I have also set this up with a third party and it worked as well but I had to utilize route priorities and monitoring since I could not utilize BGP to a public IP in R80.40 which I believe is now available in R81.10.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Joe, how aws is advertising routes to you to avoid asymmetric routing?
I guess backup tunnel advertise, for example, 192.168.0.0/24 and primary tunnel 192.168.0.0/25 and 192.168.0.128/25, right?
Is possible on aws side? I have to set it up shortly
