This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sbolton
Contributor
Monday

Route Based VPN (VTI) through Secondary ISP on Load Sharing Firewalls

I have a customer who has an HA pair set to Load-Sharing mode and is on R81.20. A VTI configuration with a third-party that is utilizing Ubiquiti devices. The firewalls are set as Load-Sharing in ISP Redundancy with the VPN check box cleared. The customer wishes to know the following.

How do they configure their route-based VPN to specifically use the secondary ISP connection? Their primary ISP has been having port flapping issues which is affecting the connection from the remote location's device to their network. Hence why they wish to do this. Any recommendations or things I should look out for? Any information would be appreciated.


Thank you

8 Replies
the_rock
MVP Gold
MVP Gold
Monday

Sounds like they need to make sure secondary ISP link works right. If 1st fails, does other one take over?

Andy

0 Kudos
Sbolton
Contributor
16 hours ago
In response to the_rock

The issue seems to be a hop along the path through one ISP compared to the other. It's pretty consistent, so they want to make the secondary connection the primary JUST for this vpn tunnel.

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
Monday

How is your "link selection" configured currently, believe there were some enhancements with this under R82 per:

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_SitetoSiteVPN_AdminGuide/Content/T...

CCSM R77/R80/ELITE
0 Kudos
Sbolton
Contributor
16 hours ago
In response to Chris_Atkinson

You're right, that R82 enhanced link section is exactly what we would need for this too. I'll bring this up to the customer as they weren't planning on moving to R82 until December. I'll send this over to them to review. Thank you!

0 Kudos
Duane_Toler
MVP Silver
MVP Silver
16 hours ago
In response to Sbolton

Until you go to R82, for R80.20 and higher, you can use the BestRoutingSenderIP config as noted in sk108600, Scenario 2.  Since R80.30, IKEv2 is also supported:

https://support.checkpoint.com/results/sk/sk108600

I use this regularly for several customers with multiple upstream next-hops.  You'll need a static route on the gateway for the remote peer to exit the interface you want towards the desired next hop.

After this is set, the IKE ID for 3rd party VPN and PSK will adjust accordingly.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
the_rock
MVP Gold
MVP Gold
14 hours ago
In response to Duane_Toler

Yep, that does work, used it before.

Andy

0 Kudos
Sbolton
Contributor
14 hours ago
In response to Duane_Toler

Would these changes revert after an upgrade to R82?

0 Kudos
Duane_Toler
MVP Silver
MVP Silver
10 hours ago
In response to Sbolton

The changes are in the HKLM_registry.data file, which would not be carried over for upgrades (in-place or otherwise).  They will remain in place for Jumbo HFA updates, however.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events