This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Blason_R
Leader
Leader
‎2021-01-10 06:16 AM

How to configure VPN redundancy when I have more than two ISP and peer has only one

Hi Guys,

My scenario I have two ISPs configured in redundancy mode and one of our customer needs to have redundant S2S vpn with both the links.

I think MEP would not be possible since there is only one ISP at customer end which is center gateway and how do I add multiple ISPs for my cluster to configure it as MEP?

****************************************

My Firewall

ISP-1 11.12.13.14

ISP-2  15.16.17.18

 

Customer End : 20.20.20.20

Customer need

11.12.13.14 <--> 20.20.20.20 AND

15.16.17.18 <-->  20.20.20.20

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
3 Replies
WingChow7
Participant
‎2021-01-10 10:46 AM

Hi Blason_R,

ISP Load Sharing VPN works only in Check Point Gateways. For 3rd Party S2S VPN will only work with one external link, i mean that only one VPN ID (IP of Check Point Object) will share between Peers.

1) Example For Check Point Gateways Configuration: attached (name: CHKP ISP Load sharing VPN only)

In most cases for Check Point GW works with Load Sharing VPN, Route Based probing and IP address of chosen interface.

 

2) Example For 3rd Party VPN (Recommended): attached (name: 3rd party vpn)

Make sure that the external link for S2S VPN is used for IP Selection by remote peer. 

 

3) To have any external link involved into a Site to Site VPN make sure that you have a Application Delivery Controller above the Check Point GW to balance any IP and DNS Query for Site to Site VPN and the global configuration by Gateway will be like this: attached (name: DNS Site to Site VPN)

 So for any connection that is coming with alias (DNS Query) cp.abc.com will be negotiating.

 

Important: If you have any license of VSX (Virtual System Extension) you can create a Virtual Switch for each ISP and connect one Virtual Gateway to ISP1 and connect one Virtual Gateway to ISP2.

This feature is very important that we need a SD-WAN solution into Infinity Arquitecture to balance Default Gateway (2 and above) and NAT Outbound IP. That will help a lot for Site to Site VPN and Balance and VPN ID for any Link for Site to Site VPN, we hope that in the future releases we will have those features into R81.x.

Best regards,

 

3rd party vpn.jpg
Preview file
111 KB
DNS Site to Site VPN.jpg
Preview file
108 KB
CHKP ISP Load sharing VPN only.jpg
Preview file
157 KB
0 Kudos
Blason_R
Leader
Leader
‎2021-01-10 08:29 PM

So in this case - and in my scenario if my one of the link fails which is 11.12.13.14 then changing other IP in link selection Under IPsec VPN i.e. to 15.16.17.18?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
WingChow7
Participant
‎2021-01-11 01:09 PM
In response to Blason_R

If the primary link fails you can manually change the IP Selection by remote peer and put the secondary link for IPSec VPN with Route Based Probing for 3rd Party GW VPN. This configuration will help you when negotiate with other vendors.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top