Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
velo
Collaborator
Jump to solution

Redundant IPSEC VPN with Azure

I'm looking to setup an IPSEC VPN to Azure, and make use of both of the VPN endpoints in Azure. My security platform is:

Gateway is: Quantum Security Cluster of 2 units (81.10)

What are my options here? Is VTI with BGP the only option or is there a more simple way to achieve this? 

I found this document below which is pretty good but I need to know how this will work with a cluster. I'm guessing the VTI tunnels will need some special config because they will need to be created on each member of the cluster?

https://community.checkpoint.com/t5/Security-Gateways/BGP-peer-Throught-IPSEC-tunnel/td-p/177032

If someone has a guide like above but for a cluster, that would be appreciated. Or if there is a more simple way to achieve this (e.g. multiple IPs in the VPN config, but I think this only works for CP to CP)

 

 

 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Official documentation:

Without VTIs, you'd probably have to configure MEP with DPD using instructions similar to sk101275.
See: R81.20 Site to Site VPN Administration Guide - Multiple Entry Point (MEP) VPNs
How well that will work is a separate question.

View solution in original post

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

Official documentation:

Without VTIs, you'd probably have to configure MEP with DPD using instructions similar to sk101275.
See: R81.20 Site to Site VPN Administration Guide - Multiple Entry Point (MEP) VPNs
How well that will work is a separate question.

0 Kudos
velo
Collaborator

Thank you. It's a nice document but unfortunately doesn't answer my main question. For the tunnel interface section, are you supposed to create those interfaces on both members of the cluster? It doesn't say. Some of the sections of config, e.g. route-map etc it says to do it on FW1 and FW2. But for the VTI section it doesn't tell say.

Thanks

0 Kudos
Peter_Lyndley
Advisor
Advisor

hi Velo,

Yes the VTIs need to be configured on both cluster members in Gaia as well as in the topology of the cluster object.

Make sure the destination matches EXACTLY the object name used in SmartDashboard for the Azure IP(s) 

0 Kudos
Martin_Schagerl
Participant

it won´t let me use the same local address for both virtual tunnel interface 1 and 2.

add vpn tunnel 1 type numbered local 100.64.220.1 remote 10.250.0.12 peer vwan01 
add vpn tunnel 2 type numbered local 100.64.220.1 remote 10.250.0.13 peer vwan02
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events