Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Luke_Abrams
Participant
Jump to solution

Site to site VPN using backup ISP for one site

Hello we have 4 sites total, 3 remote sites that connect back to our primary site via site to site vpn tunnels.  All sites are checkpoint.  One of our sites has a hop that is dropping/losing/whatever with packets and this is causing major slowness.  Our primary ISP isn't being helpful since it isn't on their network.  During our testing we found that if we use our backup ISP, it will use a different path and the slowness is gone. 

So all of that to ask is it possible to route 1 site to site vpn over the backup ISP while leaving the others routed over the primary ISP?

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Yes, you will need to adjust the Link Selection setting to make decision based on the routing table.
Refer to: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SitetoSiteVPN_AdminGuide/Top... 

View solution in original post

12 Replies
PhoneBoy
Admin
Admin

Yes, you will need to adjust the Link Selection setting to make decision based on the routing table.
Refer to: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SitetoSiteVPN_AdminGuide/Top... 

Luke_Abrams
Participant

I am looking through the article you provided, my scenario from the way I see it would be similar to "Security Gateway with Several IP Addresses Used by Different Parties"  There doesn't seem to be much direction on that one though. All sites have static addresses.  I only want the one site to run on the alternate ISP.  So I would need to add some routing on the local gateways to accomplish this?  I am not sure if it make a difference or not but the remote site is running SMB's 1600 series.  

0 Kudos
PhoneBoy
Admin
Admin

Yes, you would route all traffic for that particular site through the other ISP using static routes.
This will cause Link Selection to use the appropriate interface IP when doing a Site to Site VPN on that interface.

0 Kudos
Luke_Abrams
Participant

Would those static routes be on the remote site pointing back at the main site or at the main site pointing at the remote site?  Or would it be on both?

0 Kudos
PhoneBoy
Admin
Admin

The routes would be on the gateway where Link Selection is configured.
If the remote site has multiple ISPs also, you might want routes configured there as well to ensure symmetry.

0 Kudos
Luke_Abrams
Participant

I guess I am missing something sorry - So often pictures are worth a 1000 words so I will include some pics below.  First is the the link selection configuration from the Primary site - 71 is the normal ISP link 122 is the one I want this connection only to go out of.   

PrimarySiteLinkSelection.png

The second picture is of the static routes configured for this.  The 91-93 are the external addresses of the remote cluster, Eth3 is the external interface of the alternate ISP I want this remote site to connect on.  

PrimarySiteRouting.png

However my tunnel still is connecting on the 71 ISP even after resetting it multiple times. 

0 Kudos
PhoneBoy
Admin
Admin

You're using an interface route when you should be using an IP-based nexthop (specifically to the default route for ISP2).
Also, what is the Source IP address setting say?

0 Kudos
Luke_Abrams
Participant
 

So it should work like this?  It looks like it is still using the gateway of .65 even after tunnel resets. 

PrimarySiteRouting2.png

PrimarySiteSourceSetting.png

PrimarySiteTunnels.png

0 Kudos
PhoneBoy
Admin
Admin

Yes like that.
And, unless a reboot solves it, I recommend a TAC case for further troubleshooting.

0 Kudos
Luke_Abrams
Participant

Ok, I am running installs of the latest Check_Point_R81_10_JUMBO_HF_MAIN_Bundle_T78 right now on the clusters so that restarts during the install.  I will see if that resolves it.  If not we can get a case rolling.

0 Kudos
Luke_Abrams
Participant

Our SMB at the remote site is managed by the same manager as the main site and the main site IP has its external set as its main IP.  Does this change anything on what we need to configure?

0 Kudos
PhoneBoy
Admin
Admin

You shouldn't need to.
That said, I highly recommend having TAC review your configuration.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events