Migrade 3rd party ipsec vpn connections to other I...

Herr_O · ‎2024-06-28

Hi Guys,

due to the migration to another ISP I'm forced to move the 3rd party ipsec vpn connections. The downtime per VPN should be minimized. Both ISPs are already connected on different interfaces on a cluster R81.10.
My idea is to use the link selection/link redundany mode to make the old and the new IP address usable for VPN, then migrate the IPSec VPNs and finally delete the old ISP interface.

Unfortunately I have read different statements if this is possible or not ?

Maybe someone has already gained experience with this ?

Regards,

Joe

PhoneBoy · ‎2024-07-01

If you're changing the IP used for terminating the VPN, you definitely have to mess with the Link Selection settings.
What you're suggesting seems reasonable, but others will have to chime in with their experience doing so.

Lesley · ‎2024-07-01

Indeed you have to work with link selection and ISP redundancy.

You can try first without ISP redundancy.

Do NOT use the link selection settings on the Interoperable Device itself, this will not work.

Final check if you send traffic from ISP-A the firewall uses public from ISP-A. And if it uses ISP-B it uses IP from ISP-B.

This can been checked with packet capture for example. Some vendor do not care with what IKE-ID you come but some will let the tunnel fail. This is listed in: https://support.checkpoint.com/results/sk/sk44978

EDIT; check packet capture for outgoing IP and VPN debug for IKEID

-------
If you like this post please give a thumbs up(kudo)! 🙂

Are you a member of CheckMates?

Migrade 3rd party ipsec vpn connections to other ISP