This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
babicmilan
Collaborator
‎2023-02-24 02:43 AM

S2S VPN primary and backup (DR) location

Hello, I need to accomplish this scenario (attached picture). I need to setup S2S VPN tunnels on CheckPoint ClusterXL towards Site 1 (primary location) and Site 2 (backup DR location). Idea is, when primary location falls down, everything works over backup DR location without interrupt.

How can I do that?

Additional questions:

  1. Is it possible to have Policy Based VPN toward Site 1 and Route Based VPN toward Site 2?
  2. If 1. is not possible which one is better to use Policy Based or Route Based VPN on Site 1 and Site 2
  3. Can I use MEP (Multiple Entry Point) in this scenario?

 

Best regards,

Milan Babic

 

scenario.pdf
Preview file
243 KB
0 Kudos
16 Replies
G_W_Albrecht
Legend Legend
Legend
‎2023-02-24 02:56 AM

1. Is it possible to have Policy Based VPN toward Site 1 and Route Based VPN toward Site 2?

Why that demand, and why will community based VPN not work for you ? As seen in sk100500: Policy-Based Routing (PBR) on Gaia OS and sk167135: Policy-Based Routing and Application-Based Routing in Gaia, this is used for other reasons, not VPN. What is possible is to use both community and route based VPN: sk109340: Mixing Route Based VPN with Domain Based VPN on the same Security Gateway

2. If 1. is not possible which one is better to use Policy Based or Route Based VPN on Site 1 and Site 2

Community based routing is the standard deployment for most circumstances; also see 1.

3. Can I use MEP (Multiple Entry Point)

MEP is for RA VPN only, so it is unclear what this question for S2S VPN means ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
babicmilan
Collaborator
‎2023-02-24 03:16 AM
In response to G_W_Albrecht

Hello.

Let's clarify, when I say "Policy Based VPN" I think on "Domain Based VPN".

I have attached Site to Site VPN R81.10 Administration Guide where MEP is explained.

1) S2S VPN tunnel between HQ and Site 1 is operational (Domain Based VPN), tunnel between HQ and Site 2 I need to configure.

0 Kudos
babicmilan
Collaborator
‎2023-03-01 04:26 AM
In response to Machine_Head

Another questions:

  • In my topology if I use MEP star community HQ (CheckPoint ClusterXL) would be Satellite Gateway, Site1 and Site2 would be Center Gateways? How to configure "VPN Routing" in this star community? VPN tunnel must be initiated from HQ towards Site1 and Site2
  • Can I use Route Based VPN with MEP or it must be Community Based VPN?
0 Kudos
Machine_Head
Collaborator
Collaborator
‎2023-03-01 04:33 AM
In response to babicmilan

-Yes

-To center only should be fine.

- It doesn't matter from where the traffic is initiated.

-As i  understand it, MEP is to be used with Domain Based VPN. Potentially if you use routing there is no need for MEP as the routing decision comes from the routing protocol.

 

 

Juan

0 Kudos
babicmilan
Collaborator
‎2023-03-16 10:56 AM
In response to Machine_Head

Hello, I have created VPN star topology, "CP-ZZZRS" as satellite gateway, "VPN_PURS_GW" and "VPN_PURS_DR_GW" as center gateways. I have MEP enabled. I want to achieve that S2S tunnel between gateways "CP-ZZZRS" and "VPN_PURS_GW" has higher priority.

I'm not sure that I have configure it correctly, I want to be sure. (atached picture).

Please look at default priority rules, exception priority rules, for "Advanced" I have choose "First to respond".

 

Best regards,

Milan Babic

VPN_STAR.PNG
Preview file
144 KB
the_rock
Legend
Legend
‎2023-03-16 11:09 AM
In response to babicmilan

I remember few years ago customer had it set exactly the same way and worked fine. Seems totally logical to me.

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-03-01 04:57 AM
In response to babicmilan

Second what @Machine_Head told you. 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-03-01 04:58 AM
In response to babicmilan

MEP is enabled in VPN Community, but not implicit MEP - see https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SitetoSiteVPN_AdminGuide/Con...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
Legend
Legend
‎2023-02-24 11:40 AM
In response to babicmilan

I second what @Machine_Head gave you. Had customer do this couple of years back and it worked flawlessly.

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-02-24 11:45 AM
In response to babicmilan

Also, to add, IF you have ISP redundancy, just know that any new VPN connections would NOT survive isp failure link. Something to keep in mind, if you do have that configured.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-02-25 03:18 AM
In response to babicmilan

As i wrote: What is possible is to use both community and route based VPN: sk109340: Mixing Route Based VPN with Domain Based VPN on the same Security Gateway

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
babicmilan
Collaborator
‎2023-02-27 03:33 AM
In response to G_W_Albrecht

OK, that means it is not possible to mix Route Based VPN and Domain Based VPN toward same destination because Domain Based VPN will always take precedence? Is there a way to change this behavior by some policy order?

0 Kudos
the_rock
Legend
Legend
‎2023-02-27 04:29 AM
In response to babicmilan

As far as Im aware, no and no. Sorry, I meant YES, domain based will take presedence and NO, you cant change the bahavior by policy order.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-03-01 04:49 AM
In response to babicmilan

It is possible as source AND destination must match Domains, see sk109340 !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-02-25 03:20 AM
In response to babicmilan

No need to post the VPN Admin Guide, i have it ! Never saw MEP in use, though...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top