IPsec Gateway is Always Defined Cluster Management...

barisben · ‎2024-11-22

Hey, I'm trying to IPsec between sites in my lab to test CheckPointFW. I have management network 10.1.91.0/24 and managing CPs from this network. I defined cluster IP from this subnet and FWs have 2 WAN IP and the other site have also. When I check logs from the other site, it says phase1 trying to negotiate from the 10.1.91.27 (so cluster IP). But I want to specify it and tried somethings but nothing works.

When I select Always use this IP address->Selected address from topology table->WAN1, its negotiating.

I defined for both interoperable devices WAN IP but doesn't work.

PhoneBoy · ‎2024-11-22

If you're using multiple WAN interfaces with VPN, you'll need to configure Link Selection as part of ISP Redundancy: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_ClusterXL_AdminGuide/Content...

In R82, the Link Selection options are greatly improved: https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_SitetoSiteVPN_AdminGuide/Content/T...

the_rock · ‎2024-11-22

I took this screenshot from customers environment where this works 100%, no issues. Dont know if it matters, but their SECONDARY link IP is first in the list I pointed out.

Andy

Btw, make sure option to apply vpn settings is checked at the bottom of the tab for isp redundancy.

Are you a member of CheckMates?

IPsec Gateway is Always Defined Cluster Management IP