This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
hugothebas
Contributor
Contributor
‎2021-04-06 01:18 PM

Third party IPSEC VPN with 2 peers

Hello all, sorry if this is already answered before, I've searched here and couldn't find anything related.

We have a customer that we need to establish an "HA" IPSEC VPN, they have 2 remote peer addresses, let's name them site A and site B, both using Cisco ASA, being site A the peferable one, if it becomes unavailable, we would still have VPN established with site B.

I have a local R80.40 GW. I know I can set a VPN community and add both interoperable devices to it, but how can I be sure that the traffic would only go to site B if site A is unavailable?

I also know that I could create 2 vpn communities, but if I do that I think I would have problem with the encryption domain because they would be the same, right?

What would be the best way to achieve this setup?

 

Thanks!

0 Kudos
2 Replies
Bob_Zimmerman
Authority
Authority
‎2021-04-06 01:35 PM

I think the simplest and most predictable way to control this would be a route-based VPN with dynamic routing. Route-based VPNs involve setting up a virtual interface (called a VTI) on your firewall which acts like a really long Ethernet cable going to the remote VPN endpoint. Since it's an interface, you can do most of the normal interface things like running OSPF or BGP on it. Once you have dynamic routing set up, the other side can control which path you prefer by tweaking router IDs, OSPF link cost, or any number of other properties.

0 Kudos
genisis__
Leader Leader
Leader
‎2021-04-10 07:17 AM
In response to Bob_Zimmerman

I agree, but it would also be nice if Checkpoint accounted for scenario in the community ie. maybe by a priority list or recognise a back device in the community.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events