Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Herr_O
Explorer

Migrade 3rd party ipsec vpn connections to other ISP

Hi Guys,

due to the migration to another ISP I'm  forced to move the 3rd party ipsec vpn connections. The downtime per VPN should be minimized. Both ISPs are already connected on different interfaces on a cluster R81.10.
My idea is to use the link selection/link redundany mode to make the old and the new IP address usable for VPN, then migrate the IPSec VPNs and finally delete the old ISP interface.


Unfortunately I have read different statements if this is possible or not ?

Maybe someone has already gained experience with this ?

 

Regards,

Joe

 

 

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

If you're changing the IP used for terminating the VPN, you definitely have to mess with the Link Selection settings.
What you're suggesting seems reasonable, but others will have to chime in with their experience doing so.

0 Kudos
Lesley
Leader Leader
Leader

Indeed you have to work with link selection and ISP redundancy.

You can try first without ISP redundancy. 

Do NOT use the link selection settings on the Interoperable Device itself, this will not work.

Final check if you send traffic from ISP-A the firewall uses public from ISP-A. And if it uses ISP-B it uses IP from ISP-B.

This can been checked with packet capture for example. Some vendor do not care with what IKE-ID you come but some will let the tunnel fail. This is listed in: https://support.checkpoint.com/results/sk/sk44978

EDIT; check packet capture for outgoing IP and VPN debug for IKEID

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events