Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Antonio_M
Participant
Jump to solution

Route-based VPN on virtual Systems

Hi,

 

Can we create route-based VPNs on virtual systems? If so, he configuration should be done under the tenant VSX?

Regards.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
Route-Based VPNs require VTIs, which are not currently supported on VSX.

View solution in original post

0 Kudos
9 Replies
PhoneBoy
Admin
Admin
Route-Based VPNs require VTIs, which are not currently supported on VSX.
0 Kudos
Antonio_M
Participant

Thank you PhoneBoy!

0 Kudos
Sanjay_S
Advisor

Hi PhoneBoy,

Does VSX support the VTIs now? I mean can we configure the Route Based VPNs in VSX now?

In case if we need to setup a VPN between AWS or Azure in Virtual System how can we configure it?

Any suggestions? Thanks in advance.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

R81 will support this for VSX when released.

CCSM R77/R80/ELITE
0 Kudos
Paul_Hagyard
Advisor

sk113840 - How to configure IPsec VPN (non-VTI) tunnel between Check Point Security Gateway and Amazon Web Services VPC using static routes says:

This article describes how to create a single VPN connection between Check Point and Amazon Web Services and is intended to be used in instances where VTIs are not permitted, such as the 61000 platform or VSX.

Keep in mind that VTI is important for redundancy and flexibility with AWS hosting. As the 61000 platform and VSX do not support VTIs, a single working tunnel can be created using this method, but is not a recommended configuration. Two separate tunnels will need to be created to Amazon Web Services, and any failover between the two tunnels must be done manually.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Hi Paul,

This limitation for VSX was addressed starting R81 per sk79700.

 

CCSM R77/R80/ELITE
0 Kudos
Paul_Hagyard
Advisor

Hi Chris,

I'm aware that it's resolved in R81, I was replying to  Sanjay_S who was asking how to configure AWS VPN connectivity on older versions of VSX without support for VTIs - in case someone else had the same question.

Paul

0 Kudos
Paul_Hagyard
Advisor

Except that with further investigation:

  1. The vsx_provisioning_tool command for adding a VTI does not appear to support setting the MTU which is vastly preferable to trying to configure VPN MSS clamping.
  2. There's no mechanism for routes on VSX to use ping tracking. Which means resilient connectivity to AWS would require BGP.

All the more reason to avoid deploying VSX!

0 Kudos
Chris_Atkinson
Employee Employee
Employee

AWS recommends BGP for the VPN where available.

MSS clamping works just fine, architecturally it probably has fewer draw backs if your VS is dedicated to the VPN i.e.

Set fw_clamp_vpn_mss=1 to $FWDIR/boot/modules/fwkern.conf
Set sim_clamp_vpn_mss=1 to $PPKDIR/conf/simkern.conf (new file)
Set mss_value to 13XX for <TRANSIT_IF_NAME> in guidbedit for VS
Set MTU to 14XX on <TRANSIT_IF_NAME> for VS in SmartConsole

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events