This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
DR_74
Collaborator
‎2021-09-10 01:47 AM

VTI interface with Cluster XL

Hi,

Based on the R80.30 VPN admin Guide, when doing Route Based VPN with clustered gateways, we need to assign one VTI IP address for each member and one VTI IP adddress for the cluster VIP .

https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_SitetoSiteVPN_AdminGuide/htm...

Most of the time when doing Route Based VPN we get /30 or /31 subnet mask to have point to point with the peer.

- Does it mean that the IP for each member can be "dummy" interface that have nothing to do with the Cluster IP?

- Or should I get an IP in the same range for every VTI interface (Peer GW, member1, member2, and cluster)?

vti.png

 

 

 

Thank you for your help

 

 

5 Replies
the_rock
Legend
Legend
‎2021-09-10 09:54 AM

I can confirm this, and Im 100% positive (no doubt in my mind at all) that everyone I ever worked with and configured this for, we always used IPs from 169.254.x.x subnet and it worked perfectly fine.

As a matter of fact, you can refer to below article referencing that.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

BUT, this is really important...MAKE SURE that when adding routes for this, that default gateway is the actual remote VTI interface IP address, otherwise it wont work.

 

Ping me privately if you have issues, I have some guides for this as well. I cant share them with you, but I could show you some screenshots.

 

DR_74
Collaborator
‎2021-09-10 11:39 AM
In response to the_rock

Hello

Thank you for your message

Just to clarify in our case we have the VTI address for the cluster that looks like 169.254.254.2. The remote peer has 169.254.254.1.

So can I use another 169.254.254.3 and .4 for both members ? 

Or even something that has nothing to do with the VIP address eg 1.1.1.1 and 1.1.1.2

0 Kudos
the_rock
Legend
Legend
‎2021-09-10 12:34 PM
In response to DR_74

Yes sir! So, say fw1 has VTI with IP 169.254.0.10 and fw2 is 169.254.0.11 and VIP is .12 and remote is say 169.254.0.15 (just making that up, but you get the idea, right?). MAKE SURE the peer name when creating vti interface  is exactly the same as interoperable object name, otherwise topology will fail.

AK2
Collaborator
‎2022-08-07 08:01 PM
In response to the_rock

I found this very useful, thanks!

AK2
Collaborator
‎2022-08-07 08:03 PM

Thanks for asking this question, I had the same one 😀🤝

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top