This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Patryk_Pilarski
Explorer
‎2019-01-02 11:05 AM

S2S VPN redundancy with two ISP

Hi all,

Could you please point me, if this is possible to configure two active S2S VPN tunnels - one tunnel per one ISP?

My scenario: 5000series (R80.10) appliances configured as a cluster 

Eth1 >> connected to ISP 1 (public IP address block /29)

Eth2 >> connected to ISP 2 (public IP address block /29)

I don't use ISP redundancy, because we use PBR for some good reason.

We use S2S tunnels between data center with Juniper SRX and Checkpoint in the office. Inside S2S VPN we use BGP protocol to distribute routes.

I would like to have two active tunnels at the same time - one configured by using ISP1 public IP, second configured by using ISP2. I will distribute better routes for VPN tunnel 1, but in case of problem with ISP1 I expect that VPN tunnel 2 will immediately handover traffic. 

I know hot to configure two tunnels in active/standby mode, but I am wondering if this is somehow possible to achieve active/active configuration

Thanks in advance 

3 Replies
PhoneBoy
Admin
Admin
‎2019-01-02 12:12 PM

In Check Point, you do this with a MEP configuration choosing the option "Random Selection."

See: Multiple Entry Point (MEP) VPNs

As the underlying mechanisms are proprietary, I do not believe this will work with a third party VPN endpoint.

Maarten_Sjouw
Champion
Champion
‎2019-01-03 01:11 AM

You can create tunnel interfaces, on those you can run BGP, in that way you create a redundant setup the same way you use AWS. Route based VPN is what it is called within Check Point.

Regards, Maarten
CarlosMTZ
Explorer
‎2024-06-06 09:41 PM

Hi Patryk, sorry i know you posted this long time ago but could you please explain how did you setup two tunnels in active/standby mode usign BGP? i already have VTI´s tunnels up but i dont know how to route traffic in a way to have redundancy.

Thanks in advance

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top