This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
arcotangente
Participant
‎2020-02-24 08:06 AM

VPN Tunnel failover with 2 ISP's and Juniper gateway on remote side

Hi guys, 

My scenario is as follows: on the main site we've got a Checkpoint cluster running R80.10 and a single ISP, that runs an IPSEC VPN tunnel to our secondary site, where we have a Juniper SRX firewall.

Recently a second ISP line has been added to the secondary site to improve the availability and the target is to setup an automatic mechanism on both sides that in case the tunnel through the ISP1 goes down, the IPSEC tunnel will automatically raised on ISP2. 

What's the best way to do this? a single VPN community with both satellite gateways (ISP1 and ISP2)? What else, should I enable DPD on both gateways (Checkpoint and Juniper)?

 

Thanks in advance!

0 Kudos
5 Replies
arcotangente
Participant
‎2020-02-26 03:10 AM

No one?

0 Kudos
Matthias_Haas
Advisor
‎2020-02-26 05:21 AM
In response to arcotangente

Hi arcotangente,

in the past I used routed based VPNs with dynamic routing as failover/health check mechanism.

Have done that with Juniper SSGs a while ago (on both sides so)

So both tunnels are up and based on e.g. ospf metric/cost you decide which is the preferred tunnel

May be that is an option ?

Matthias

0 Kudos
arcotangente
Participant
‎2020-02-26 06:22 AM
In response to Matthias_Haas

Hi Matthias, 

That wouldn't cause traffic dropped due asymmetric routing? the CP may send some traffic through tunnel A and the Juniper return the reply through tunnel B?

I was thinking an scenario where there is a single star community, the Check point as Center GW, and the 2 Junipers (set up as interoperable devices with each public IP) as satellite gateways. And then enable DPD, don't know which mode.

 

Does it makes sense? leaving anything behind?

Thanks

0 Kudos
Matthias_Haas
Advisor
‎2020-02-26 10:08 PM
In response to arcotangente

Hi arcotangente,

i don´t think asymmetric routing is an issue.  For example OSPF Equal Cost Multipath is a situation were you do have asymmetric routing (see sk100502 for further details).

But if you configure ospf correctly this should not happen. When you are enable OSPF on a tunnel interface you can define a cost for this interface:

ospf.png

You would have two tunnel interfaces on both sides. Your prefered connection will get a lower cost on both side.

Your firewall will learn the routes through both interfaces. As long as the routes are learned through the interface with the lower cost, this route will be used.

That is just an idea, as I said, did this with Juniper SSGs  but not so far with Checkpoint and Juniper SRX

With SSGs you could even use static routing as a tunnel interface was only "up" if the vpn connection was up.

 

Regarding single star community:

You would have fully overlapping encryption domain  (both interoperable devices would have the same encryption domain) which is supported.

What I don´t know is how you can configure which tunnel to use as both tunnels are up normally ?

Matthias

 

 

0 Kudos
arcotangente
Participant
‎2020-02-27 08:16 AM
In response to Matthias_Haas

Thanks Matthias, 

Let's see if someone else can shed some light on the DPD thing. 

At least when you configure a tunnel to Amazon AWS, it uses 2 satellite gateways as well with same encryption domain and recommends to enable DPD. 

BR

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events