This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Legend
Legend
‎2022-11-10 01:00 PM
Jump to solution

ISP redundancy/VPN question

Hey guys,

I really hope someone can clarify this for me, as I find documentation very confusing about it. So, say customer has primary isp link 1.1.1.1 and 2ndary 2.2.2.2 and VPN link selection is set for probing and 1.1.1.1 is set as primary and IPS REDUNDANCY page has option selected to carry settings over to VPN.

Here is my question:

IF say primary link failed, does that mean VPN tunnels with 3rd party devices would still work?

Not trying to be ironic now, but section about 3rd party devices sounds a bit silly to me personally...I mean, OF COURSE encrypted traffic may work or may NOT work, what other option is there? lol

Based on below doc, its not clear at all.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_NextGenSecurityGateway_Guide/Topic...

 

Specially this section:

 

Note - ISP Redundancy settings override the VPN Link Selection settings.

When ISP Redundancy is enabled, VPN encrypted connections survive a failure of an ISP link -> Does this mean that REGARDLESS if its CP-CP or CP-3rd party VPN tunnel, that IF primary ISP link fails that tunnels will continue to work?

The settings in the ISP Redundancy page override settings in the IPsec VPN > Link Selection page.

the_rock_0-1668113898310.gif

 

the_rock_1-1668113898313.gif

 

Configuring ISP Redundancy for VPN with a third-party peer
0 Kudos
1 Solution

Accepted Solutions
Kryten
Collaborator
‎2022-11-11 06:17 AM
Jump to solution

Complex and confusing topic...I cannot answer everything here, but since I have had some troubles with multiple ISP links and VPN, I can at least answer parts of it.

For VPN connections to 3rd party devices it would be important in this scenario that the other end has both of your ISP IP addresses configured for the Tunnel connection. Otherwise it will not recognize the traffic belonging to that connection when the secondary link is used.
Also the IKE-ID (or VPN-ID or whatever it may be called) might be an issue here. I am not sure how this is handled with ISP-redundancy, but usually CheckPoint will use the IP address determined in the first part of the Link Selection settings as ID, even if the traffic goes out on a different interface with a different IP. Some 3rd party devices (depending also on config I guess) are very strict with that ID and do not accept anything different there. Luckily this can be changed via registry, so it is based on the routing instead of the LinkSelection setting. (see Scenario 2 in sk108600 for that)

 

So the statement "may work or may NOT work" is true indeed I fear, but the above things should reduce the amount of connections that do NOT work I think 🙂

View solution in original post

6 Replies
Kryten
Collaborator
‎2022-11-11 06:17 AM
Jump to solution

Complex and confusing topic...I cannot answer everything here, but since I have had some troubles with multiple ISP links and VPN, I can at least answer parts of it.

For VPN connections to 3rd party devices it would be important in this scenario that the other end has both of your ISP IP addresses configured for the Tunnel connection. Otherwise it will not recognize the traffic belonging to that connection when the secondary link is used.
Also the IKE-ID (or VPN-ID or whatever it may be called) might be an issue here. I am not sure how this is handled with ISP-redundancy, but usually CheckPoint will use the IP address determined in the first part of the Link Selection settings as ID, even if the traffic goes out on a different interface with a different IP. Some 3rd party devices (depending also on config I guess) are very strict with that ID and do not accept anything different there. Luckily this can be changed via registry, so it is based on the routing instead of the LinkSelection setting. (see Scenario 2 in sk108600 for that)

 

So the statement "may work or may NOT work" is true indeed I fear, but the above things should reduce the amount of connections that do NOT work I think 🙂

the_rock
Legend
Legend
‎2022-11-11 06:30 AM
In response to Kryten
Jump to solution

Thanks @Kryten , really appreciate your response!! By the way, what I find most confusing is this statement -> When ISP Redundancy is enabled, VPN encrypted connections survive a failure of an ISP link

To me, that clearly states that no matter what, regardless if its cp to cp OR cp to 3rd party VPN tunnel or regular/permanent tunnel, if one ISP link fails, VPN would continue to work...just my own logic and how I read that statement. As far as my other comment, yes, I was being sarcastic, because in reality, its like anything in life...I MAY or may NOT be alive tomorrow, right? haha

Anyway, in all seriousness, I thank you very much for the detailed explanation, it certainly makes sense. I hope though that someone who works for CP will give an official statement on this. Ostensibly, the statements in the document I referred to could be put more precisely.

0 Kudos
PhoneBoy
Admin
Admin
‎2022-11-12 04:59 AM
Jump to solution

One of the functions of Link Selection (whether controlled directly or via the ISP Redundancy settings) is to change the IP used to originate VPN connections from.
On a failover, this is obviously going to have to change for any traffic to pass.
Whether this will work or not depends on the remote end's ability to support such a configuration (basically what @Kryten said).

 

0 Kudos
the_rock
Legend
Legend
‎2022-11-12 05:33 AM
In response to PhoneBoy
Jump to solution

Thanks phoneboy. But again, it goes back to my original question...how does one interpret below statement?

When ISP Redundancy is enabled, VPN encrypted connections survive a failure of an ISP link...

To me personally, that statement clearly implies that no matter what type of tunnel it is or vendor, that VPN WILL continue to work.

 

0 Kudos
PhoneBoy
Admin
Admin
‎2022-11-12 06:55 AM
In response to the_rock
Jump to solution

The key here is "VPN Encrypted Connections."
The VPN Tunnel will have to be rebuilt once the IP address changes due to failover.
The connection inside the VPN tunnel will survive a failover. 

the_rock
Legend
Legend
‎2022-11-12 07:52 AM
In response to PhoneBoy
Jump to solution

Ah, I see...well, I think its worded the wrong way in the document and should be fixed to reflect actual intended behavior.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events