This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
VishnuK
Explorer
Friday

Route Based VPN Tunnel on VSX (Virtual System)

Hi Team,

We want to configure a route-based VPN tunnel. Below are the environment details:

* Local Gateway- checkpoint Virtual System Firewall 

* Peer gateways:

      Site-A: Third party Firewall

      Site-B: Third party Firewall

 

* Peer Encryption Domain: common (172.16.1.0/24), behind both location's Firewalls.

* Routing on Local Gateway: Static

 

As peer encryption domain is common (172.16.1.0/24) which is to be access from our side through the IPSec.

 We are planning to implement route-based VPN with both the locations, so that if primary tunnel with Site-A goes down then same Sunbnet_172.16.1.0/24 should be accessible through Site-B's tunnels.

We want to use static routing for this route-based VPN setup.

But we are not able to find route minoring option for VTY interface, as in standard environment (without vsx) we can enable next hop monitoring while configure the static route.

So, looking a solution for tunnel failover with static routing

 

 

 

0 Kudos
6 Replies
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
Friday

To my knowledge route based VPNs for VSX are only supported with dynamic routing e.g. BGP.

CCSM R77/R80/ELITE
0 Kudos
Lesley
MVP Gold
MVP Gold
Friday

you need dynamic routing for this like bgp 

  1. Dynamic Routing: This infrastructure enables dynamic routing protocols (like OSPF or BGP) to exchange routing information directly with a routing daemon on the other end of the tunnel, making it appear as a single hop.

Check also policy based routing, is now also supported on vsx

https://support.checkpoint.com/results/sk/sk167135

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
VishnuK
Explorer
Friday
In response to Lesley

1. Does it mean we can't achieve it, using route monitoring with Static routing?

2. PBR can be used into this case for tunnel failover?

 

 

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
Friday
In response to VishnuK

SmartConsole won't allow you to configure it under classic VSX per sk79700.

"Multiple Static Routes with different priorities to the same destination"

CCSM R77/R80/ELITE
0 Kudos
Wolfgang
MVP Gold
MVP Gold
Friday

@VishnuK what do you want to achieve? You need redundancy for your VPN ? Why route based VPN? 
I believe you can use the domain based VPN with two third party gateways at the remote site. Redundancy via MEP (MultipleEntryPoint) and using DPD (DeadPeerDetection) to probe the remote gateways availability. 
https://support.checkpoint.com/results/sk/sk10860   scenario 8

0 Kudos
VishnuK
Explorer
4 hours ago
In response to Wolfgang

Hi Wolfgang,

Yes, we want we need redundancy for IPSec.  MEP is applicable here? I am suspecting that, considering below points:

* We have the control of Local firewall only

* Traffic direction is outbound (Local to 3rd Party)

* Peer Firewalls are not checkpoint.

As per my understanding MEP can be configured only for incoming traffic. Please correct me, if i am wrong.

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events