Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
DR_74
Contributor

VTI interface with Cluster XL

Hi,

Based on the R80.30 VPN admin Guide, when doing Route Based VPN with clustered gateways, we need to assign one VTI IP address for each member and one VTI IP adddress for the cluster VIP .

https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_SitetoSiteVPN_AdminGuide/htm...

Most of the time when doing Route Based VPN we get /30 or /31 subnet mask to have point to point with the peer.

- Does it mean that the IP for each member can be "dummy" interface that have nothing to do with the Cluster IP?

- Or should I get an IP in the same range for every VTI interface (Peer GW, member1, member2, and cluster)?

vti.png

 

 

 

Thank you for your help

 

 

5 Replies
the_rock
Legend
Legend

I can confirm this, and Im 100% positive (no doubt in my mind at all) that everyone I ever worked with and configured this for, we always used IPs from 169.254.x.x subnet and it worked perfectly fine.

As a matter of fact, you can refer to below article referencing that.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

BUT, this is really important...MAKE SURE that when adding routes for this, that default gateway is the actual remote VTI interface IP address, otherwise it wont work.

 

Ping me privately if you have issues, I have some guides for this as well. I cant share them with you, but I could show you some screenshots.

 

DR_74
Contributor

Hello

Thank you for your message

Just to clarify in our case we have the VTI address for the cluster that looks like 169.254.254.2. The remote peer has 169.254.254.1.

So can I use another 169.254.254.3 and .4 for both members ? 

Or even something that has nothing to do with the VIP address eg 1.1.1.1 and 1.1.1.2

0 Kudos
the_rock
Legend
Legend

Yes sir! So, say fw1 has VTI with IP 169.254.0.10 and fw2 is 169.254.0.11 and VIP is .12 and remote is say 169.254.0.15 (just making that up, but you get the idea, right?). MAKE SURE the peer name when creating vti interface  is exactly the same as interoperable object name, otherwise topology will fail.

AK2
Collaborator

I found this very useful, thanks!

AK2
Collaborator

Thanks for asking this question, I had the same one 😀🤝

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events