This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Duminda_lakmal
Participant
‎2023-01-09 03:13 AM

VPN Interoperable IP Duplicate configuration

We have a requirement as below :

Currently, we have established IPSEC between Our Primary DC and One of the client's site firewalls and we are managing our Primary and DR DC checkpoint FW using the same Management server.

We must set up our DR center with the Same peer Gateway IP.  what is the recommended method to configure interoperable configuration, is it okay to duplicate the interoperable device witch we use in Production GW Cluster and the same Duplicate Current VPN domain? 

 

Instead of using existing interoperable devices create another one in Documentation & administration. 

 

Please advise are there any disadvantages create 2 interoperable device with same IP? 

 

Thank you,

 

 

Preview file
69 KB
0 Kudos
4 Replies
Blason_R
Leader
Leader
‎2023-01-09 04:44 AM

External IP should not be a issue however the SIC IP has to be different. By the way how the peer will differentiate and establish VPN with same peer  IP? How will peer know which firewall to route the packet?

 

What is the intention of this activity? I guess there are other ways to achieve the redundancy if you are planning for it then.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Duminda_lakmal
Participant
‎2023-01-09 09:11 AM
In response to Blason_R

Hi.

Yes, our intention is High availability. Peer gateway ( I Mean Customer side Firewall). 

On our Side, we have a separate policy package for Primary & DR. currently we have one community with a production side cluster and Customer's side Firewall IP (Interoperable Device)

we are going to create new VPN Community with mentioning DR Site CP Cluster and Client's side same Peer GW IP (Second interoperable Device - Duplicate as Primary side configures because peer GW and Domain same)

 

Also, we are asking customer to create new community including our DR site and their Gateways. 

(No Need automatic failover)

 

***This is my Question We can use

1. only One interoperable device for both My side communities DR and Primary

2. Create Duplicate Interoperable same as Production site configures then apply new duplicated one for DR community configuration. 

 

Are there any limitation or misconfiguration when i duplicate Interoperable device in checkpoint environment? 

I totally understand without duplicate we can do this, but this is for my understanding. 

Kindly help me clarify this point. 

Thank you, 

 

 

 

0 Kudos
Blason_R
Leader
Leader
‎2023-01-09 09:18 AM
In response to Duminda_lakmal

Nah - I dont think you will be able to do it on CheckPoint and yes Check Point wont be able to send a traffic if encryption_domains overlaps. You must think of something else; I have compiled vyos open source and then using it for all my site-site VPN configurations.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
the_rock
Legend
Legend
‎2023-01-09 10:11 AM
In response to Duminda_lakmal

I agree with @Blason_R . Its highly unlikely you can do this with CP side.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events