Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
4mon
Participant

VPN as a backup (routing config)

Hi guys,
I have a little conceptual trouble and I would like to ask you for advice.

I need to reach client URLs (for example client.com 15.0.0.15) using two ways:
MPLS (primary)
and
VPN Site to Site (backup - VPN has to be UP all the time)

Currently I have already configured VPN Site to Site and everything works.
I didn't add any static routes to reach 15.0.0.15. Default routing to the Internet has been already in placed and only domain encryption and security policies has been created.

Now Client delivered their own pre-configured router so I connected it to CheckPoint.

What should be next steps to complete configuration?
Of course I know that I should set static route to 15.0.0.15 trought interface which is connected to MPLS Client router..
but what will happen then with VPN?
Which way will have higher priority? VPN or MPLS?
How to switch traffic to VPN when Primary MPLS will have outage?
Maybe I should delete 15.0.0.15 from domain encryption to reach 15.0.0.15 IP trought MPLS?

I hope that I described clearly this scenario so I would be grateful for your help.
I have a R80.40 Cluster_XL

0 Kudos
3 Replies
RS_Daniel
Advisor

Hello @4mon ,

If you are using domain based VPN and assuming 15.0.0.15 is part of remote encription domain, the traffic to 15.0.0.15 will always go through the VPN tunnel. Even in the case the VPN is down, a new connection attempt will trigger the VPN negotiation, so MPLS will not be used. Answering your questions:

but what will happen then with VPN? VPN will always be used to reach 15.0.0.15
Which way will have higher priority? VPN or MPLS? VPN
How to switch traffic to VPN when Primary MPLS will have outage? No possible with domain based VPN
Maybe I should delete 15.0.0.15 from domain encryption to reach 15.0.0.15 IP trought MPLS? Is possible, but you will have to do this every time you want to switch from VPN to MPLS, and add it back when you want to go from MPLS to VPN.

To reach redundancy between MPLS and VPN i see two possible options, first option use a route based VPN so you can create two different routes with different metrics according to your needs, let's say route through the VPN with metric 2 (backup) and route through the MPLS with metric 1 (primary). You can use ip reachability detection feature to monitor MPLS link with a ping, when the ping fails, the route through the MPLS will become inactive and the route through the vpn will be active. You can also use OSPF to update routes automatically.

Second option is to keep domain based VPN and use a bogus IP address, for example 16.0.0.16 that will not be part of remote encryption domain and that should be routed through the MPLS link. So you will have two IP address to reach the remote service, you could manage the redundancy internally with DNS for example. It will require a NAT rule on the remote site to translate traffic to 16.0.0.16 to the real IP address 15.0.0.15 which is quiet difficult if it is a third party.

HTH.

Regards

 

4mon
Participant

Hi @RS_Daniel
Thank you very much for very useful advice.
 
I'm not familiar with Route Based VPN (yet..)
Do you know maybe if this change from Domain Based to Route Based VPN will require any change configuration on the peer side which have Cisco ASA with crypto-policy?

0 Kudos
RS_Daniel
Advisor

Hello @4mon ,

I did not test myself if it would work with route based vpn on CheckPoint site and crypto map on the Cisco ASA. AFAIK if you are using crypto maps on Cisco ASA, you must define a route to make the vpn traffic leave through the correct interface (where the crypto map is applied to), so in this case you will be able to reach redundancy with routes.

So in this case, the problem will come with phase 2 negotiation, as the encryption domains are exhanged here as phase 2 ID and they must match on both sides, on a domain based VPN, the ID's are the subnets that are part of the encryption domains, while in a route based vpn, as the encryption domains are not relevant, the ID's are 0.0.0.0 . There is a threat here where Timothy_Hall gives a great explanation about this.

https://community.checkpoint.com/t5/General-Topics/Route-Based-VPN-on-one-side-and-Domain-Based-VPN-...

Regards