This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
IMCristian_Rosa
Explorer
‎2023-10-05 11:38 AM

VPN S2S 2 ISPs + AWS

Hello,

We have a cluster on R81.10, in which we have two links/ISP from different suppliers. We would like to enable redundancy for a VPN with AWS.
EX:
ISP 1
ISP2

In other words, having 2 active tunnels, when the ISP1 tunnel fails, the ISP2 tunnel is activated.

As we know that S2S VPNs with AWS are route based, we have already ruled out using link selection.

In a first conversation with AWS, they informed us that it will have to be done via BGP.


Has anyone already implemented this configuration?

0 Kudos
9 Replies
the_rock
Legend
Legend
‎2023-10-08 02:57 PM

Why not use MEP? It applies if you have more than 1 center gateway, unless you are strictly referring to ISP redundancy?

Andy

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/Topics-VP...

0 Kudos
IMCristian_Rosa
Explorer
‎2023-10-08 05:51 PM
In response to the_rock

Hello, The_Rock,

Tks for feedback.

What I need is ISP redundancy to have redundancy between two tunnels.


Tks

Cristian Rosa


0 Kudos
the_rock
Legend
Legend
‎2023-10-08 06:44 PM
In response to IMCristian_Rosa

Hey mate,

Not so sure thats possible, because if you think about it logically, how would the AWS side ever know that there was ISP like change and would be aware of new external IP?

Andy

0 Kudos
IMCristian_Rosa
Explorer
‎2023-10-10 12:08 PM
In response to the_rock

Andy,

This scenario is common, how would I do VPN redundancy using VTI/AWS?

Is there no possibility?

Tks

Cristian Rosa

0 Kudos
IMCristian_Rosa
Explorer
‎2023-10-10 12:08 PM
In response to PhoneBoy

Hello, PhoneBoy

Tks for feedback.

What I need is ISP redundancy to have redundancy between two tunnels.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-10-10 01:16 PM
In response to IMCristian_Rosa

From sk108958: "To detect when a tunnel goes down and to route traffic through the second tunnel, we use BGP."

0 Kudos
IMCristian_Rosa
Explorer
‎2023-10-10 01:25 PM
In response to PhoneBoy

Hi,

But in this case, the reference is to the second tunnel on the AWS side. In AWS there will be redundancy, but on the Checkpoint side.

Note that there is only one peer/ISP on the Checkpoint side.



vpn aws.png

Tks

Cristian Rosa

0 Kudos
the_rock
Legend
Legend
‎2023-10-10 01:55 PM
In response to IMCristian_Rosa

We had a client who wanted similar thing and we did end up using BGP, though this was Azure, but literally the same concept.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top