This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sergo89
Collaborator
‎2023-01-05 02:07 PM

VPN redundancy with third party devices

Hi Guys,

I have found some ideas how to configure VPN redundancy with third party device (Cisco routers in my case), but some parts are not clear for me. I have one community with about ten devices (Cisco) and hub - checkpoint, everything works fine. I need to create redundancy for couple of sites, they have two ISPs. On Cisco side i am going to create two tunnels and use EMM with SLA or dynamic routing (but not sure about that, in this case i need to configure it on Checkpoint side too).

CheckPoint side, bunch of questions...  Looks like i have to create more Interoperable devices and add them to Community, but in this case how CheckPoint will choose them? and how will it know about primary channel outage? etc

Please advise

thanks 

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2023-01-05 03:24 PM

Probably the best way to do it with third party devices is with VTIs and Dead Peer Detection.

0 Kudos
Sergo89
Collaborator
‎2023-01-05 04:21 PM
In response to PhoneBoy

thanks. How it should like from checkpoint side? Another community special for one site with two devices? how to change routing?

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-01-05 08:17 PM
In response to Sergo89

Reality is, @Blason_R is 100% correct. Truth is, making this work with CP is not so easy. MEP sounds like your best bet, because without it, CP will never know how to choose the right 3rd party device in case of failure.

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-06 06:20 AM
In response to Sergo89

It’s a lot more complicated than that since you might need to redo the entire configuration as VTIs instead of using domain based VPN as mixing the two creates its own issue.
MEP might also work as well as others have suggested (but make sure that DPD is configured since that’s required for third party VPN endpoints).

0 Kudos
Blason_R
MVP Gold
MVP Gold
‎2023-01-05 06:08 PM

Unfortunately this is a challenge and limitation I faced since beginning and AFAIK this is definitely not possible with checkpoint. Hence I started using different topology or devices like vyos or other routers for VPN IPsec.

Even you configure VTI - VTI is based on Ipsec and you need to have IPsec setup first since CheckPoint listens on only one interface this creates an issue. May be you could try MEP feature

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
(1)
Sergo89
Collaborator
‎2023-01-05 08:27 PM
In response to Blason_R

Thanks guys!

the_rock
MVP Platinum
MVP Platinum
‎2023-01-05 08:29 PM
In response to Sergo89

For the reference:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/Topics-VP...

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events