Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sergo89
Collaborator

VPN redundancy with third party devices

Hi Guys,

I have found some ideas how to configure VPN redundancy with third party device (Cisco routers in my case), but some parts are not clear for me. I have one community with about ten devices (Cisco) and hub - checkpoint, everything works fine. I need to create redundancy for couple of sites, they have two ISPs. On Cisco side i am going to create two tunnels and use EMM with SLA or dynamic routing (but not sure about that, in this case i need to configure it on Checkpoint side too).

CheckPoint side, bunch of questions...  Looks like i have to create more Interoperable devices and add them to Community, but in this case how CheckPoint will choose them? and how will it know about primary channel outage? etc

Please advise

thanks 

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

Probably the best way to do it with third party devices is with VTIs and Dead Peer Detection.

0 Kudos
Sergo89
Collaborator

thanks. How it should like from checkpoint side? Another community special for one site with two devices? how to change routing?

0 Kudos
the_rock
Legend
Legend

Reality is, @Blason_R is 100% correct. Truth is, making this work with CP is not so easy. MEP sounds like your best bet, because without it, CP will never know how to choose the right 3rd party device in case of failure.

0 Kudos
PhoneBoy
Admin
Admin

It’s a lot more complicated than that since you might need to redo the entire configuration as VTIs instead of using domain based VPN as mixing the two creates its own issue.
MEP might also work as well as others have suggested (but make sure that DPD is configured since that’s required for third party VPN endpoints).

0 Kudos
Blason_R
Leader
Leader

Unfortunately this is a challenge and limitation I faced since beginning and AFAIK this is definitely not possible with checkpoint. Hence I started using different topology or devices like vyos or other routers for VPN IPsec.

Even you configure VTI - VTI is based on Ipsec and you need to have IPsec setup first since CheckPoint listens on only one interface this creates an issue. May be you could try MEP feature

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
(1)
Sergo89
Collaborator

Thanks guys!

the_rock
Legend
Legend

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events