Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
shantilalSuthar
Participant

S2S VPN failover using route based VPN

Hi Guys,

I have a requirement where i need to create two route-based ipsec tunnels between Checkpoint & third party vendor & there are around 500 clients to which i need to create tunnels in active/backup manner.

 

Kindly suggest how to achieve this.

0 Kudos
6 Replies
Henkpoa
Participant

Hello!

First of all, you'd have to use route-based VPN as you said, instead of a pure policy-based VPN.

So what you do is define two VTI interfaces on the gateway, acting as the logical interfaces for the VPN, and then set up routing based off that, where you also set up which third party gateway it will communicate towards.

If you want to use static routes with IP tracking, or dynamic protocols such as OSPF or BGP is up to you, I would personally recommend dynamic protocol.

See this guide when it comes to the VTIs etc:
https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/Topics-VP...

As for the VPN itself, you create a policy based VPN as usual, but leave the VPN domains as empty groups, (since the routing will decide what will traverse over the tunnel).

0 Kudos
shantilalSuthar
Participant

Thanks for your suggestions but here my question is, Is it possible to keep two VPN tunnel active on different ISP ?

As i know we can only select single interface in link selection option of IPsec VPN.

0 Kudos
Henkpoa
Participant

I mean, you could technically route your interoperable device IPs out on different ISPs with definitive /32 routes to their public IPs.

Should be possible.
Then you'd just use the routing in the VTI tunneling to decide which tunnel to use etc.

0 Kudos
shantilalSuthar
Participant

It means link selection does not matter if we use route based VPN to select the outgoing tunnel ? Am i correct ?

0 Kudos
Blason_R
Leader
Leader

From checkpoint end nope it is not possible since you can terminate tunnel only on one ISP. While you can create two tunnels with two ISP for remote end.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
shantilalSuthar
Participant

that is what i was trying to tell. Only one tunnel will be UP at a time right ?? Do we need to use ISP redundancy for auto tunnel failover.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events