Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Duminda_lakmal
Participant

VPN Interoperable IP Duplicate configuration

We have a requirement as below :

Currently, we have established IPSEC between Our Primary DC and One of the client's site firewalls and we are managing our Primary and DR DC checkpoint FW using the same Management server.

We must set up our DR center with the Same peer Gateway IP.  what is the recommended method to configure interoperable configuration, is it okay to duplicate the interoperable device witch we use in Production GW Cluster and the same Duplicate Current VPN domain? 

 

Instead of using existing interoperable devices create another one in Documentation & administration. 

 

Please advise are there any disadvantages create 2 interoperable device with same IP? 

 

Thank you,

 

 

0 Kudos
4 Replies
Blason_R
Leader
Leader

External IP should not be a issue however the SIC IP has to be different. By the way how the peer will differentiate and establish VPN with same peer  IP? How will peer know which firewall to route the packet?

 

What is the intention of this activity? I guess there are other ways to achieve the redundancy if you are planning for it then.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Duminda_lakmal
Participant

Hi.

Yes, our intention is High availability. Peer gateway ( I Mean Customer side Firewall). 

On our Side, we have a separate policy package for Primary & DR. currently we have one community with a production side cluster and Customer's side Firewall IP (Interoperable Device)

we are going to create new VPN Community with mentioning DR Site CP Cluster and Client's side same Peer GW IP (Second interoperable Device - Duplicate as Primary side configures because peer GW and Domain same)

 

Also, we are asking customer to create new community including our DR site and their Gateways. 

(No Need automatic failover)

 

***This is my Question We can use

1. only One interoperable device for both My side communities DR and Primary

2. Create Duplicate Interoperable same as Production site configures then apply new duplicated one for DR community configuration. 

 

Are there any limitation or misconfiguration when i duplicate Interoperable device in checkpoint environment? 

I totally understand without duplicate we can do this, but this is for my understanding. 

Kindly help me clarify this point. 

Thank you, 

 

 

 

0 Kudos
Blason_R
Leader
Leader

Nah - I dont think you will be able to do it on CheckPoint and yes Check Point wont be able to send a traffic if encryption_domains overlaps. You must think of something else; I have compiled vyos open source and then using it for all my site-site VPN configurations.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
the_rock
Legend
Legend

I agree with @Blason_R . Its highly unlikely you can do this with CP side.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events