This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Patryk_Pilarski
Explorer
‎2019-01-02 11:05 AM

S2S VPN redundancy with two ISP

Hi all,

Could you please point me, if this is possible to configure two active S2S VPN tunnels - one tunnel per one ISP?

My scenario: 5000series (R80.10) appliances configured as a cluster 

Eth1 >> connected to ISP 1 (public IP address block /29)

Eth2 >> connected to ISP 2 (public IP address block /29)

I don't use ISP redundancy, because we use PBR for some good reason.

We use S2S tunnels between data center with Juniper SRX and Checkpoint in the office. Inside S2S VPN we use BGP protocol to distribute routes.

I would like to have two active tunnels at the same time - one configured by using ISP1 public IP, second configured by using ISP2. I will distribute better routes for VPN tunnel 1, but in case of problem with ISP1 I expect that VPN tunnel 2 will immediately handover traffic. 

I know hot to configure two tunnels in active/standby mode, but I am wondering if this is somehow possible to achieve active/active configuration

Thanks in advance 

2 Replies
PhoneBoy
Admin
Admin
‎2019-01-02 12:12 PM

In Check Point, you do this with a MEP configuration choosing the option "Random Selection."

See: Multiple Entry Point (MEP) VPNs

As the underlying mechanisms are proprietary, I do not believe this will work with a third party VPN endpoint.

Maarten_Sjouw
Champion
Champion
‎2019-01-03 01:11 AM

You can create tunnel interfaces, on those you can run BGP, in that way you create a redundant setup the same way you use AWS. Route based VPN is what it is called within Check Point.

Regards, Maarten