Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dilev
Explorer

IPSEC VPN gateway traffic selection

Hi,

 

We are having an issue with a vpn setup where we have a Checkpoint FW with one ISP line connected to it and a remote site (Juniper srx) with 2 ISP lines connected to it. We have 2 Ikev1 IPSEC vpn tunnels between the two sites that coming up(permanent tunnels enabled).
Our issue is that the traffic between the two sites seems to be going through both tunnels at the same time instead of one tunnel being the primary one and the second one acting as a backup/failover in case the primary tunnel goes down for any reason.

What is the mechanism Checkpoint uses to determine which of the two tunnels it is going to send the traffic through and how can we specify it?

0 Kudos
5 Replies
_Val_
Admin
Admin

Version fo CP GW?

0 Kudos
Dilev
Explorer

Hi Val,

 

The CP  GW version is R80.10.

0 Kudos
_Val_
Admin
Admin

https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_SitetoSiteVPN_AdminGuide/htm...

Look under "Link Selection with non-Check Point Devices" section. 

 

Which part initiates VPN tunnel, Juniper or CP? If Juniper, you should look there first. 

0 Kudos
Dilev
Explorer

Hi,

 

We've tried the things suggested in the article, but we are still having issues with the traffic selection.

Currently, the traffic from the checkpoint is taking the backup tunnel to our SRX, instead of the primary one. How can we force it to use one tunnel over the other and switch to the second only if the traffic through the first one fails?

0 Kudos
Juan_
Collaborator

I suggest using VTIs with a routing protcol over it.

What is known as "Route based VPN"

 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

Check IPsec VPN admin guide for your version.

Also you can check config guides for AWS or azure as reference.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events