Re: Using BGP address for Client VPN possible on R...

dphonovation · ‎2022-09-27

Hi all,

Pardon the long winded post, I'm no BGP expert and a bit stuck figuring this out.

We are building out 2 new datacentres with a new ISP peer. I've previously lab'ed this setup at my previous data centre but the ISP peer did things differently. In particular, the /31 I am to broadcast my BGP range from is internal in this new setup, whereas in my lab it was addressable publically. I was initially planning to simply use the /31 to setup a simple Client VPN for me to administer remotely and be able to play with the BGP setup once the Checkpoint is racked/stacked (it's a VM). Below is a basic diagram of what I *thought* it should look like. Direct imgur link: https://i.imgur.com/SgJSrVK.png

There are two ClusterXL Checkpoints (1 per site) running 81.10. My understanding is I cannot use aliases with ClusterXL to assign one of the BGP addresses to the cluster as an alias. Right now, each has it's own mgmt server. Eventually, the ISP will be building a layer 2 circuit between the sites and the plan will be to put them on the same Checkpoint MGMT plane. In the meantime, I need to be able to access both sites independently.

The new ISP peer has given me 2 BGP ranges. (the 82.X.X.X/27s). I envisioned being able to setup BGP at both sites and leverage ASPREPEND to prefer routing to Site 1 (left) unless it goes down, which would then prefer the route to Site 2 (right). In my afromentioned lab, the /31's at each site were publically addressable. I advertised BGP via a NAT Pool. Accessed the checkpoints via the /31 and NAT'ed any customer traffic headed for the /27 BGP range to appropriate back ends. I didn't even need to assign the Checkpoint Cluster any intefaces in the BGP range.

So in this new setup I was hoping to simply rack the kit, use the /31 as my own Client VPN connectivity and tinker with BGP addressing remotely without risking losing connectivity.

However the new ISP peer has just given me the circuit details and they expect my private AS to BGP peer from a 100.64.76.x/31 to their private AS, which they then push to their core.

It now feels like I would have no choice but to marry each BGP range to a site as a result, which is undesirable but I suppose I can find a way to live with it.

But this leads me to the question: How do I go about assigning an address out of my BGP range to the Checkpoint Cluster and expose Client VPN over it? I would usually think to do that as an alias, but that's not supported in Cluster XL. I also need the Checkpoint gateways to talk to the wider internet (for update and such) via one of the BGP addresses.

Any advice and guidance much appreciated. Thanks for reading.

Edit: This seems to have been a similar setup: https://community.checkpoint.com/t5/Security-Gateways/ISP-connection-using-private-IP-with-routed-pu...

PhoneBoy · ‎2022-09-27

Why not associate a route with the loopback interface?

dphonovation · ‎2022-09-27

Sorry, could you expand on what you mean?

I think you mean, associate one of the BGP routes I'm advertising to the ISP peer to my loopback interface and then:

1) for external internet access for the ClusterXL members, I setup a NAT rule per gateway (per cluster?)

2) for inbound Client VPN I simply use a static address in the link selection window that belongs in the BGP range?

PhoneBoy · ‎2022-09-27

Before I answer, I think I need clarification on what you mean by "expose Client VPN."
Do you mean have a route for the Office Mode network advertised via BGP?
Note that Office Mode networks should be unique per cluster.

dphonovation · ‎2022-09-27

No. In this scenario I have 2 goals at the moment:

1.) Simply use one of the IPs in the BGP block as the public IP I can connect to with Checkpoint Mobile for Windows

Edit: After rereading your reply. I think we are saying the same thing for #1

2.) Use one of the IPs in the BGP block as the source IP for my ClusterXL members for their own internet access. (Even though their ClusterXL VIP on the WAN side is a private address /31 to BGP Peer with)

Chris_Atkinson · ‎2022-09-27

Further to what @PhoneBoy suggested, starting R81.10 and above you can configure Loopbacks as clustered interfaces which may assist with the VPN target portion if you weren't planning to use the addresses assigned to a DMZ interface of sorts.

It's also straight forward to hide-NAT outbound internet access from internal clients to another address from those BGP ranges.

We also provide the ability documented in SK/ClusterXL admin guide to have the VIP and External interfaces on different subnets (some caveats apply here) but I've not myself tried this where the VIP is a BGP peer.

CCSM R77/R80/ELITE

dphonovation · ‎2022-09-28

I've done hide-nat on internal clients for BGP ranges.

I've also referenced the SK you speak of to have the External facing VIP be a private address assigned to me by the ISP (100.x.x.x) whereas the clusterxl member interfaces are in a 172.x.x.x locally.

But how do I get the ClusterXL members themselves to use a BGP address? In my lab, the ClusterXL members always used the External facing VIP to try and communicate with the world for things like updates, but in this case it's a private address.

It sounds like a similar case in this thread: https://community.checkpoint.com/t5/Security-Gateways/ISP-connection-using-private-IP-with-routed-pu...

PhoneBoy · ‎2022-09-29

No, I was talking about the IP range that's assigned to the VPN client when it connects to the gateway.

dphonovation · ‎2022-10-04

I've solved this as Chris suggested in the thread I linked (posted by someone else)

My WAN ClusterXL vip is no longer private. I asked the ISP to split one of the /27s into 4x /29s. Used the 1st /29 block to direct peer with to their BGP gateway and advertised the remaining 3 with BGP.

Thank you all

Are you a member of CheckMates?

Using BGP address for Client VPN possible on R81.10?