Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
babicmilan
Collaborator

S2S VPN primary and backup (DR) location

Hello, I need to accomplish this scenario (attached picture). I need to setup S2S VPN tunnels on CheckPoint ClusterXL towards Site 1 (primary location) and Site 2 (backup DR location). Idea is, when primary location falls down, everything works over backup DR location without interrupt.

How can I do that?

Additional questions:

  1. Is it possible to have Policy Based VPN toward Site 1 and Route Based VPN toward Site 2?
  2. If 1. is not possible which one is better to use Policy Based or Route Based VPN on Site 1 and Site 2
  3. Can I use MEP (Multiple Entry Point) in this scenario?

 

Best regards,

Milan Babic

 

0 Kudos
16 Replies
G_W_Albrecht
Legend Legend
Legend

1. Is it possible to have Policy Based VPN toward Site 1 and Route Based VPN toward Site 2?

Why that demand, and why will community based VPN not work for you ? As seen in sk100500: Policy-Based Routing (PBR) on Gaia OS and sk167135: Policy-Based Routing and Application-Based Routing in Gaia, this is used for other reasons, not VPN. What is possible is to use both community and route based VPN: sk109340: Mixing Route Based VPN with Domain Based VPN on the same Security Gateway

2. If 1. is not possible which one is better to use Policy Based or Route Based VPN on Site 1 and Site 2

Community based routing is the standard deployment for most circumstances; also see 1.

3. Can I use MEP (Multiple Entry Point)

MEP is for RA VPN only, so it is unclear what this question for S2S VPN means ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
babicmilan
Collaborator

Hello.

Let's clarify, when I say "Policy Based VPN" I think on "Domain Based VPN".

I have attached Site to Site VPN R81.10 Administration Guide where MEP is explained.

1) S2S VPN tunnel between HQ and Site 1 is operational (Domain Based VPN), tunnel between HQ and Site 2 I need to configure.

0 Kudos
babicmilan
Collaborator

Another questions:

  • In my topology if I use MEP star community HQ (CheckPoint ClusterXL) would be Satellite Gateway, Site1 and Site2 would be Center Gateways? How to configure "VPN Routing" in this star community? VPN tunnel must be initiated from HQ towards Site1 and Site2
  • Can I use Route Based VPN with MEP or it must be Community Based VPN?
0 Kudos
Gojira
Collaborator
Collaborator

-Yes

-To center only should be fine.

- It doesn't matter from where the traffic is initiated.

-As i  understand it, MEP is to be used with Domain Based VPN. Potentially if you use routing there is no need for MEP as the routing decision comes from the routing protocol.

 

 

Juan

0 Kudos
babicmilan
Collaborator

Hello, I have created VPN star topology, "CP-ZZZRS" as satellite gateway, "VPN_PURS_GW" and "VPN_PURS_DR_GW" as center gateways. I have MEP enabled. I want to achieve that S2S tunnel between gateways "CP-ZZZRS" and "VPN_PURS_GW" has higher priority.

I'm not sure that I have configure it correctly, I want to be sure. (atached picture).

Please look at default priority rules, exception priority rules, for "Advanced" I have choose "First to respond".

 

Best regards,

Milan Babic

the_rock
Legend
Legend

I remember few years ago customer had it set exactly the same way and worked fine. Seems totally logical to me.

Andy

0 Kudos
the_rock
Legend
Legend

Second what @Gojira told you. 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

MEP is enabled in VPN Community, but not implicit MEP - see https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SitetoSiteVPN_AdminGuide/Con...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
Legend
Legend

I second what @Gojira gave you. Had customer do this couple of years back and it worked flawlessly.

Andy

0 Kudos
the_rock
Legend
Legend

Also, to add, IF you have ISP redundancy, just know that any new VPN connections would NOT survive isp failure link. Something to keep in mind, if you do have that configured.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

As i wrote: What is possible is to use both community and route based VPN: sk109340: Mixing Route Based VPN with Domain Based VPN on the same Security Gateway

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
babicmilan
Collaborator

OK, that means it is not possible to mix Route Based VPN and Domain Based VPN toward same destination because Domain Based VPN will always take precedence? Is there a way to change this behavior by some policy order?

0 Kudos
the_rock
Legend
Legend

As far as Im aware, no and no. Sorry, I meant YES, domain based will take presedence and NO, you cant change the bahavior by policy order.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

It is possible as source AND destination must match Domains, see sk109340 !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend

No need to post the VPN Admin Guide, i have it ! Never saw MEP in use, though...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events