Re: IPSec VPN redundancy is not working using MEP

Deepraj_Patil

Hi All,

I am working to implement redundancy (failover) for an IPSec VPN tunnel with a remote site. Both locations are equipped with two internet circuits. On my end, I am using a Check Point firewall, while the remote site uses a FortiGate firewall. I have set up two route-based IPSec site-to-site VPN tunnels using different peer IPs, leveraging Check Point’s Star Community and enabling MEP (Multiple Entry Point) configuration. The remote site has configured SD-WAN on their FortiGate firewall to achieve redundancy.

During failover testing, we disabled the primary VPN tunnel at the remote site. The FortiGate successfully switched to the backup tunnel. However, on the Check Point firewall, although the primary tunnel is shown as down, traffic is not rerouted to the backup tunnel as expected.

The scenario is like this:

Chekpoint Peer IP 1 -> FortiGate Peer IP 1

Checkpoint Peer IP 2 -> FortiGate Peer IP 2

I raised a support ticket with TAC, and after 15 days they informed me that failover is not possible in our current version. They mentioned that this functionality might be available in R82, but they were uncertain and escalated the issue to our account manager for further clarification. I would appreciate your assistance in either resolving this within our current version or confirming whether this requirement is indeed supported in R82. For context, we are currently running R81.20 Take 76.

Please reply.

CheckPointerXL

I'm aware too that this is not officially supported, but r82 it should help

Anyway did u add a static route /32 to fgt ip 2 through cp ip 2? You should also add a static route on both sides with lower priority and ping on for backup links.... not sure this helps but it can work, i think that labbed scenario like this but many times is gone

Combining it with route based and dynamic routing it give you possibility to avoid MEP config

the_rock

Im pretty positive I made this work with a customer when they were on R81.10 version and was fine, using MEP method as a matter of fact. Let me see if I can find some notes about it. Btw, how is MEP configured within the community, can you send a screenshot?

Andy

Deepraj_Patil

Thank Any for your reply. Below are the screenshots:

the_rock

I cant sadly find the notes from back then, but will ask the customer if they recall, since its been some time. The screenshots you sent look right to me. Here is the question...when it does not work, if you check the route, does it take the correct path?

Andy

AmirArama

I don't believe MEP configuration is relevant if you work with Route Based VPN.

if you already have two VPN Tunnels, one from each local interface to each remote interface as you described.

assuming you consider each FG IP as different peer/object, try to set static route to the remote network behind FG going via VTI1 with ping on, and then another static route with higher priority (=lower preference) via the other VTI.
once primary tunnel goes down, ping on should remove the primary route and traffic should be redirected via secondary VTI/tunnel.
(of course you can achieve similar effect using dynamic routing.)

Each FG external IP needs to be routed statically via each local interface next hop.

also disable MEP if working with route based VPN.

in R82 you will have the enhanced link selection, which can build tunnel per interface in more elegant manner.

Thanks,

the_rock

That makes sense actually...probably relates to an issue I posted recently about Harmony SASE.

Deepraj_Patil

Hi Amir,

I have already configured a static route for each remote network, pointing to both VPN tunnel interfaces with appropriate priorities. However, the failover is still not functioning as expected.

Regards,

Deepraj

Are you a member of CheckMates?

IPSec VPN redundancy is not working using MEP