Hi,

I'm not sure I was clear in my previous post. 
If I understand it correctly, MEP would be setting up redundancy on our end, so the remote gateway connects to either (our) primary gateway or (our) secondary gateway. 

What we need is a redundant connectivity from our cluster to two remote security gateways.

If the tunnel between our cluster and the primary remote gateway fails, then the traffic flows from our cluster to the secondary remote gateway (via the backup VPN tunnel). 

Regards,

Sandgirl

You are right about MEP @Sandgirl . If you want to achieve 2nd scenario, sounds like you may need some BGP config done, because if one VPN was to fail, unless routes match 100%, other one would never take over.

My colleague and I actually have call today with Azure support for similar question one of our customers had, as there are few things to consider. In this case, its related to xpress route, so say if prefix is the same, then xpress route is always preferred over VPN, but if say you have /24 over /23 prefix, bigger number prefix will always take presedence.

As fas as 2 VPN tunnels, your case might be a bit different though...

Andy

What if I have two external gateways added in the same community? Will Checkpoint be sending the traffic to both gateways at the same time? And if one of the tunnels fail, the traffic will still go through the secondary tunnel? 

Regards,
Joanna

You mean if you have 1 community with 1 CP center gateway and 2 interoperable objects (external) as satellites? If so, I had never seen such scenario work in a failover.

Regards,

Andy

How would the traffic flow if there was nothing wrong? Would the traffic flow to both gateways (through two tunnels)? Or would only one tunnel be used?

Regards,

Sandgirl 

Im thinking both, but not 100% sure, maybe someone else can confirm.

Andy

@Sandgirl follow my post and the mentioned knowledgebase article. You‘re needed configuration is shown there. 

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SitetoSiteVPN_AdminGuide/Top...

https://support.checkpoint.com/results/sk/sk76281

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_ClusterXL_AdminGuide/Topics-...

I had the same situation as @Sandgirl... Peer has two PaloAlto appliances with two different ISP links and IP addresses, and wants to setup redundant link to my Cluster with only one VIP and internet connection. I had no idea I could set third party gateways to be the center in MEP setup and I'm just the remote.

Will give this a try if they are good with the configuration on the other side.

Thanks so much!

You can do that, BUT, I still dont believe failover would work that way either.

Andy

@RalphLopez  follow my post. The solution for a redundant VPN with third party gateways could be found in the mentioned article.

Its all great in theory, but it does not really work. Not sure if anyone made it work, but I was with customer once on the phone for 7 hours trying to do so and after talking to many T3s, escalation people, seems like they gave up on it and we just left it alone.

Andy

At the moment our gateways have only one external IP, which is a cluster IP. It's the remote peer that has two reachable IPs. 

The third party now says that we need to set up VTIs on our end, but will this work since we have a cluster rather than the single gateway? 

Regards,
Sandgirl

Yes, and you can either use unnumbered VTIs or numbered VTIs using private addresses.

So, if I do the following:

Create one VPN community with both external gateways as remote peers

Add two unnumbered VTIs pointing to one external gateway each

Create a static route in Gaia portal pointing to VT1 with priority 1 and VTI2 with priority 2

Add a security rule with the new community in the VPN section

Would that be enough? 

That sounds about right, though with VTIs, you should have an empty encryption domain.

Thats right to me. I will send you link later or tomorrow where I gave aone info on how to do this.

Happy new year!

Best,

Andy

This is the link I was referring to.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-failover-issue/m-p/155553#M265...

So in the end I managed to get it working... kind of. 

After getting some help from the third party I was able to set it up with numbered VTIs and static routes in the test environment. Everything worked, including failover. 

However, when I tried to set it up exactly the same way in the production environment, I hit issues with the IP reachability. 
I set the routes with the gateway being an IP of the VTI on the other end. IP reachability kept failing. 
I have unticked the 'ping' option in one of the routes, meaning that the IP reachability for this route would be off. And, somehow, this caused the VTI on the other end to be reachable, and all the routes (including the one with IP reachability enabled) to be inserted into the routing table... but only for maybe half a minute. After that, it was failing again. The same thing happened when I added the remote VTI IPs into the IP reachability section of the Gaia UI. It worked for a bit, then it stopped. It's like the connection was spiked when I made the changes, and then it went down again. 

Anybody experienced anything similar? 

I totally agree with you @the_rock  and this has been a pain since beginning and it works in theory but in practical you get frustration and nothing else. I eventually developed my own vpn solution based on vyatta and strongswan and it work charm. I eventually have moved my customers to this one and not a single issue after that. 

Excellent point @Blason_R 

Yes, I confirm, MEP isn't the best solution about the original request.

The solution is to have two interoperable VPN device, two VPNT and eBGP.

Regards.

At the moment our gateways have only one external IP, which is a cluster IP. It's the remote peer that has two reachable IPs. 

The third party now says that we need to set up VTIs on our end, but will this work since we have a cluster rather than the single gateway? 

Regards,
Sandgirl

I have done this with a route based VPN to AWS using BGP and 2 tunnels and it works great. I have also set this up with a third party and it worked as well but I had to utilize route priorities and monitoring since I could not utilize BGP to a public IP in R80.40 which I believe is now available in R81.10.

Hey Joe, how aws is advertising routes to you to avoid asymmetric routing?

I guess backup tunnel advertise, for example, 192.168.0.0/24 and primary tunnel 192.168.0.0/25 and 192.168.0.128/25, right?

Is possible on aws side? I have to set it up shortly