This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Douglas_Rich
Collaborator
Collaborator
a week ago
Jump to solution

Redundant/Backup IPSEC VPN Options R81.20

Looking at configuring a IPSEC VPN with a backup tunnel. external client(Interoperable Device), no dynamic routing, single ISP on CP side.

I found two options and I'm wondering which is the better option, in your opinion. 

1. Two tunnels utilizing VTI interfaces with redundant routes configured with different priorities for each tunnel. 

2. The example shown in sk sk164355 VPN redundancy

0 Kudos
2 Solutions

Accepted Solutions
the_rock
MVP Platinum
MVP Platinum
a week ago
Jump to solution

I can only speak for myself, but I know 2 customers who tried the sk you mentioned and we could never get it to work the way we wanted. We even had TAC case, but gave up trying after some time, since it was taking too many hours.

I did option 1 many times, no problems.

Hope that helps.

Best,
Andy

View solution in original post

(1)
Vincent_Bacher
Leader Leader
Leader
a week ago
In response to the_rock
Jump to solution

While I'm not the biggest fan of VTIs in general, I'm familiar with route-based VPN designs from other vendors, and the concept works reliably. So in this case, I would agree that using VTIs with appropriate routing metrics is the right approach.

And because I'm not satisfied with the solution described in the SK referenced above.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

View solution in original post

(1)
10 Replies
the_rock
MVP Platinum
MVP Platinum
a week ago
Jump to solution

I can only speak for myself, but I know 2 customers who tried the sk you mentioned and we could never get it to work the way we wanted. We even had TAC case, but gave up trying after some time, since it was taking too many hours.

I did option 1 many times, no problems.

Hope that helps.

Best,
Andy
(1)
Douglas_Rich
Collaborator
Collaborator
a week ago
In response to the_rock
Jump to solution

Thank you this is very helpful

0 Kudos
the_rock
MVP Platinum
MVP Platinum
a week ago
In response to Douglas_Rich
Jump to solution

No worries! Message me directly if you want to discuss it, no issue.

Best,
Andy
0 Kudos
Vincent_Bacher
Leader Leader
Leader
a week ago
In response to the_rock
Jump to solution

While I'm not the biggest fan of VTIs in general, I'm familiar with route-based VPN designs from other vendors, and the concept works reliably. So in this case, I would agree that using VTIs with appropriate routing metrics is the right approach.

And because I'm not satisfied with the solution described in the SK referenced above.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
(1)
the_rock
MVP Platinum
MVP Platinum
a week ago
In response to Vincent_Bacher
Jump to solution

Im certain there is a way to make it work, but if I had patience like I did in my 20s, maybe I would be willing to spend 100 hours on it to make it function 🙂

Otherwise, I like to stick with method that does work.

Best,
Andy
(1)
Vincent_Bacher
Leader Leader
Leader
a week ago
In response to the_rock
Jump to solution

The same applies to me. At the moment, I prefer to focus my time on working with the APIs and developing scripts — for example with Copilot — to automate various workflows.

For example, upgrading or replacing dozens of VMware-based gateways for the upgrade to R82. I do everything on the vCenter and SmartCenter side via API. I still have enough patience for that kind of thing today.

There are so many APIs these days to learn playing with.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
the_rock
MVP Platinum
MVP Platinum
a week ago
In response to Vincent_Bacher
Jump to solution

Totally, no argument there. Have a great weekend, Vin!

Best,
Andy
0 Kudos
Vincent_Bacher
Leader Leader
Leader
a week ago
In response to the_rock
Jump to solution

And you!

Best
Vince

(Vin always confuses me — I’m not a Diesel, you know. 😉 )

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
the_rock
MVP Platinum
MVP Platinum
a week ago
In response to Vincent_Bacher
Jump to solution

haha, true...Vince it is 🙂

Best,
Andy
Duane_Toler
MVP Silver
MVP Silver
a week ago
Jump to solution

Echoing the others,  I would also vote for VTIs and universal tunnels (Community properties -> Tunnel Management -> "subnet per gateway pair").  You can still do static routing via the VTI.  You can't to ECMP across them, but you can set route priorities.

For your case here, just use the 169.254.1.x/24 address space for your side of the VTI (numbered VTI). It doesn't matter what the peer has; it's irrelevant. They can be 192.168.5.23.  

add vpn tunnel 101 type numbered local 169.254.1.3 remote 10.255.254.5 peer gw101

Unnumbered VTI can be done, but it needs a proxy interface, which can be either physical interface (eth2) or a loopback.  This gets more complicated and you probably don't need that (but you do in a cluster with BGP).

VTIs are point-to-point links; anything you send down that pseudo-wire is going to go out that interface.  There is no next-hop; your routes are:

set static-route 192.0.2.0/24 nexthop gateway logical vti101

The only time a next-hop matters is if you're doing BGP with it, but sounds like you only need static routes.

When you add your VTI, be sure you go to SmartConsole and gateway properties -> network managment and do Fetch interfaces (without topology) so you get the correct interface type added.

Good luck with your implementation and let us know if you run into anything unusual!

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events