AnsweredAssumed Answered

IPSec Amazon without VTI

Question asked by Raymond Poede on Dec 4, 2018
Latest reply on Dec 4, 2018 by Dameon Welch-Abernathy

Site2Site VPN (Amazon - Company)

 

We're running a firewall cluster based on R77.30 and what to setup a IPsec VPN tunnel with Amazon VPC

 

But there's a known issue with R77.30 and VTI's

See:

How to configure IPsec VPN tunnel between Check Point Security Gateway and Amazon Web Services VPC using static routes 

 

If CoreXL is disabled we see a very High CPU usuage.

That's why we want to setup an IPSec without VTI's, instead of updating to R88.10 first.

 

When downloading the Configuration file from Amazon:

  • Vendor: Generic
  • Platform: Generic
  • Software: Vendor Agnostic

 

Within the config file there's a part about the Inside IP Address

 

The Customer Gateway inside IP address should be configured on your tunnel
interface.
Outside IP Addresses:
  - Customer Gateway                 : a.b.c.d.
  - Virtual Private Gateway            : z.y.x.w
        
Inside IP Addresses
  - Customer Gateway                 : 169.254.22.106/30
  - Virtual Private Gateway             : 169.254.22.105/30

 

 

How can I configure the inside Customer Gateway and Inside Virtual Private Gateway without using VTI's ?

 

The following SK article has been followed (sk113840)

How to configure IPsec VPN (non-VTI) tunnel between Check Point Security Gateway and Amazon Web Services VPC using stati… 

 

And:

Ensure VPN Tunnels Pass Traffic Between Customer Gateways and Virtual Private Gateways 

 

Please advice.

 

Regards,

Ray

Outcomes