Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
nlegastelois
Explorer

VPN S2S with third party devices through 2 interfaces

Hello,

We are using a cluster XL with two gateways (active/passive)  that are running on version R81.

We have from this cluster three S2S VPN with third-party devices created using domain VPN. For now we have only one route through a L3 device that is connected to two lines and acting as a BGP partner with the two providers. In this scenarion if one circuit is down the checkpoint are still using the same public IP range and the VPN tunnel remain up.

We have to migrate to another solution with two ISP connected on two different interfaces of the Checkpoint with one dedicated public IP range per ISP.

I am searching for hours on the differents topics about the way to failover the VPN from one ISP to another but I am completly lost.

As I could read the link selection will not work with non checkpoint peers.

I was thinking to create static route toward peer IP by using ISP1 with higher priority and add an ip reachability detection to the peer IP then if it fail the secondary route will be used for the VPN. Is it possible to do in this way ?

Thnk you for your help.

Nicolas

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

Link Selection is not dependent on the remote gateway being a Check Point device.
What you're looking for is here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos
nlegastelois
Explorer

Hello,

I just had a look into this link but it's written : 

  • How about interoperability with non Check Point VPN devices?
    Interoperability with non Check Point VPN gateways is not supported.
    RDP (probing) protocol is Check Point proprietary.
    Interoperable VPN devices generate VPN tunnels per interface, whereas in this solution the tunnel is generated between VPN peers regardless of the number of outgoing VPN interfaces and links deployed between the VPN gateways.

So it seems not supported with a non checkpoint device ?

Thanks

0 Kudos
PhoneBoy
Admin
Admin

Link Selection should work regardless of the remote VPN endpoint.
Dead Peer Detection should be the default in R81, see: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos
PhoneBoy
Admin
Admin

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events