This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
dphonovation
Collaborator
‎2023-06-01 10:52 AM

Move VPN termination from ISP Peering address to a BGP address

I currently have the following setup:

 

1) I am provided a /30 peering address with my ISP. Let's say this is 1.2.3.5/30 and my next hop is 1.2.3.6/30

2) I have an interface on a solo checkpoint assigned 1.2.3.5/30 respectively (say eth2)

3) I advertise a /27 BGP block to this next hop. For example: 71.82.42.224/27. Any traffic that has arrived here is NAT'ed to some internal destination.

4) I have several IPSEC VPNs (Domain Based) with 3rd parties that terminate on the PEERING address (1.2.3.5/30 eth2)

All is well in this case.




ISP changes are now requiring me to change the peering address, but I can keep the /27 block.

Therefore, I now want to change point #4 above. ie: terminate VPNs on one of my BGP addresses.

So far, my thoughts have been to create a new interface (in the same WAN VLAN? Loopback?) and assign it an IP in the BGP block so that the ipsec daemon can terminate there. (Let's say 71.82.42.225 eth3) But then what?

This new interface appears in the selection box in gateway properties --> ipsec vpn --> link selection - but this would break all EXISTING VPNs until the 3rd party changes their side? These are customers (about 20 of them), taking them down isn't an option nor is trying to align 20 customers on the same day to change their side.

Is there a way I can gradually migrate each of my VPNs? ie: keep unmigrated customers IPSEC VPNs terminated on 1.2.3.5 while I migrate other customers, 1 by 1, to use the BGP IP 71.82.42.225?

Is it as simple as NAT? (Right now, when the CP initiates IPSEC it always wants to use its main peering IP)
Policy based routing? (Although no matter what, the ISP routes traffic to the BGP block to my peer address?)

If someone has any other clever ideas, I'm all ears.

 

Thanks in advance.

 

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2023-06-01 11:52 AM

The IP address used for Link Selection doesn't even have to be an interface IP so long as the traffic is ultimately sent to the gateway by some other means (e.g. a NAT device, routing). 

The only way to have a different Link Selection IP for different VPN peers currently is to route the traffic out different physical interfaces and set the Link Selection setting accordingly.
If you used a fixed IP/interface for Link Selection, it applies to all peers.

A different Link Selection setting for different VPN peers is not currently possible.
However, I believe it is planned for R82.

0 Kudos
dphonovation
Collaborator
‎2023-06-01 12:06 PM
In response to PhoneBoy

@PhoneBoy wrote:

The only way to have a different Link Selection IP for different VPN peers currently is to route the traffic out different physical interfaces and set the Link Selection setting accordingly.


So if I make a 2nd physical interface in the same VLAN, does that not count as another physical interface? Or does the next hop have to be different? (Since I don't have a "next hop" in my own BGP block)

If so, I think what you're saying is that I then set:


1) IP selection by remote peer to "calculate by network topology"

2) Outgoing route interface selection "When initiating a tunnel" can stay on "operating system routing table" (but I create a static route?)

3) Link Selection Source IP address settings "when responding to a remotely initiated tunnel" - set to "reply from the same interface"

4) Source IP address settings button  "when initiating a tunnel use the following ip address" - set to "ip address of chosen interface"

0 Kudos
PhoneBoy
Admin
Admin
‎2023-06-01 12:32 PM
In response to dphonovation

You can create a second physical interface in the same VLAN, yes.
And what you're describing sounds right, including adding the routes necessary to ensure the right interface is used to originate the VPN traffic.

0 Kudos
dphonovation
Collaborator
‎2023-06-01 12:51 PM
In response to PhoneBoy

So say the 3rd party VPN peer is 5.4.3.2/32.

I would make the 2nd interface and assign it an IP in my BGP range (ie: 71.82.42.225 eth3). I don't have a next hop on that subnet 71.82.42.224/27 (its solely my own BGP range). My only real next hop to the world is 1.2.3.6/30 (my bgp peer and default route).

What do I then point the route gateway to when configuring an alternate route to 5.4.3.2/32? The "interface" assigned to 71.82.42.225? (the new one I just created)


0 Kudos
PhoneBoy
Admin
Admin
‎2023-06-01 01:52 PM
In response to dphonovation

An interface route won't work most likely as it assumes something in the network will hear the traffic and do the right thing with it.
It also creates a potential issue with arp caching, especially if it's done for a default gateway.

That leaves an IP address as your next hop, and I believe it needs to be an IP on the same network.
If you don't have that, I don't believe this can be made to work.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events