Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Raymond_Poede
Participant

IPSec Amazon without VTI

Site2Site VPN (Amazon - Company)

We're running a firewall cluster based on R77.30 and what to setup a IPsec VPN tunnel with Amazon VPC

But there's a known issue with R77.30 and VTI's

See:

How to configure IPsec VPN tunnel between Check Point Security Gateway and Amazon Web Services VPC u... 

If CoreXL is disabled we see a very High CPU usuage.

That's why we want to setup an IPSec without VTI's, instead of updating to R88.10 first.

When downloading the Configuration file from Amazon:

  • Vendor: Generic
  • Platform: Generic
  • Software: Vendor Agnostic

Within the config file there's a part about the Inside IP Address

The Customer Gateway inside IP address should be configured on your tunnel
interface.
Outside IP Addresses:
  - Customer Gateway                 : a.b.c.d.
  - Virtual Private Gateway            : z.y.x.w
        
Inside IP Addresses
  - Customer Gateway                 : 169.254.22.106/30
  - Virtual Private Gateway             : 169.254.22.105/30

How can I configure the inside Customer Gateway and Inside Virtual Private Gateway without using VTI's ?

The following SK article has been followed (sk113840)

How to configure IPsec VPN (non-VTI) tunnel between Check Point Security Gateway and Amazon Web Serv... 

And:

Ensure VPN Tunnels Pass Traffic Between Customer Gateways and Virtual Private Gateways 

Please advice.

Regards,

Ray

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

It's generally less reliable to not use VTIs with Amazon.

See: https://community.checkpoint.com/message/14458-re-ipsec-tunnel-to-aws-vpc-sporadically-drops-after-p... 

You really should consider upgrading to R80.x.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events