This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
shantilalSuthar
Participant
‎2024-04-10 11:55 PM

S2S VPN failover using route based VPN

Hi Guys,

I have a requirement where i need to create two route-based ipsec tunnels between Checkpoint & third party vendor & there are around 500 clients to which i need to create tunnels in active/backup manner.

 

Kindly suggest how to achieve this.

0 Kudos
6 Replies
Henkpoa
Participant
‎2024-04-11 03:11 AM

Hello!

First of all, you'd have to use route-based VPN as you said, instead of a pure policy-based VPN.

So what you do is define two VTI interfaces on the gateway, acting as the logical interfaces for the VPN, and then set up routing based off that, where you also set up which third party gateway it will communicate towards.

If you want to use static routes with IP tracking, or dynamic protocols such as OSPF or BGP is up to you, I would personally recommend dynamic protocol.

See this guide when it comes to the VTIs etc:
https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/Topics-VP...

As for the VPN itself, you create a policy based VPN as usual, but leave the VPN domains as empty groups, (since the routing will decide what will traverse over the tunnel).

0 Kudos
shantilalSuthar
Participant
‎2024-04-11 04:31 AM
In response to Henkpoa

Thanks for your suggestions but here my question is, Is it possible to keep two VPN tunnel active on different ISP ?

As i know we can only select single interface in link selection option of IPsec VPN.

0 Kudos
Henkpoa
Participant
‎2024-04-11 10:13 AM
In response to shantilalSuthar

I mean, you could technically route your interoperable device IPs out on different ISPs with definitive /32 routes to their public IPs.

Should be possible.
Then you'd just use the routing in the VTI tunneling to decide which tunnel to use etc.

0 Kudos
shantilalSuthar
Participant
‎2024-04-11 09:31 PM
In response to Henkpoa

It means link selection does not matter if we use route based VPN to select the outgoing tunnel ? Am i correct ?

0 Kudos
Blason_R
Leader
Leader
‎2024-04-11 10:26 PM
In response to shantilalSuthar

From checkpoint end nope it is not possible since you can terminate tunnel only on one ISP. While you can create two tunnels with two ISP for remote end.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
shantilalSuthar
Participant
‎2024-04-11 11:34 PM
In response to Blason_R

that is what i was trying to tell. Only one tunnel will be UP at a time right ?? Do we need to use ISP redundancy for auto tunnel failover.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events