- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- VTI interface with Cluster XL
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VTI interface with Cluster XL
Hi,
Based on the R80.30 VPN admin Guide, when doing Route Based VPN with clustered gateways, we need to assign one VTI IP address for each member and one VTI IP adddress for the cluster VIP .
Most of the time when doing Route Based VPN we get /30 or /31 subnet mask to have point to point with the peer.
- Does it mean that the IP for each member can be "dummy" interface that have nothing to do with the Cluster IP?
- Or should I get an IP in the same range for every VTI interface (Peer GW, member1, member2, and cluster)?
Thank you for your help
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can confirm this, and Im 100% positive (no doubt in my mind at all) that everyone I ever worked with and configured this for, we always used IPs from 169.254.x.x subnet and it worked perfectly fine.
As a matter of fact, you can refer to below article referencing that.
BUT, this is really important...MAKE SURE that when adding routes for this, that default gateway is the actual remote VTI interface IP address, otherwise it wont work.
Ping me privately if you have issues, I have some guides for this as well. I cant share them with you, but I could show you some screenshots.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
Thank you for your message
Just to clarify in our case we have the VTI address for the cluster that looks like 169.254.254.2. The remote peer has 169.254.254.1.
So can I use another 169.254.254.3 and .4 for both members ?
Or even something that has nothing to do with the VIP address eg 1.1.1.1 and 1.1.1.2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes sir! So, say fw1 has VTI with IP 169.254.0.10 and fw2 is 169.254.0.11 and VIP is .12 and remote is say 169.254.0.15 (just making that up, but you get the idea, right?). MAKE SURE the peer name when creating vti interface is exactly the same as interoperable object name, otherwise topology will fail.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found this very useful, thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for asking this question, I had the same one 😀🤝
