- CheckMates
- :
- Products
- :
- Harmony
- :
- SASE
- :
- Re: Create IPSEC S2S VPN with a new ClusterXL inte...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Create IPSEC S2S VPN with a new ClusterXL interface
Good afternoon, everybody.
We currently have a ClusterXL on which we are already working on several VPNs.
What we want is to implement a new VPN against a partner, but making use of a new PUBLIC IP that we plan to add to our Infrastructure.
We have free interfaces in each ClusterXL member, and there we are going to configure a new PUBLIC IP, and what we want is to create a VPN making use of this new configuration.
Is this possible?
Thanks for your support.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Link Selection is how you determine what IP is used for VPN (configured in the cluster object under IPSec VPN > Link Selection).
There is no way to say “for VPN peer X, use this public IP” at least directly.
That said, you can use routing to influence this if the appropriate Link Selection setting is used.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Thank you for your prompt reply.
I was browsing through the Smartconsole options and indeed, I have not found something that allows me to select the new Public IP that is in another new interface of the Cluster.
I guess there is no way to do this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Routing can influence what IP is used.
That assumes you have configured appropriate static routes that route traffic for that VPN out that specific interface.
Please refer to the VPN guide for more details: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SitetoSiteVPN_AdminGuide/Top...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the information.
An additional doubt, the "Main address" option that is found when opening the gateway/cluster object in the "Link Selection" section, selecting this option, makes the GATEWAY work as EXTERNAL IP, the IP that appears in the "General Properties"?
Thanks for all the support.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correct, Main Address is pointing to general propeties
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Main Address refers to the IP address you have listed for the gateway object in General Properties.
This is not always an externally routable IP, which is one reason the Link Selection option exists.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree with @PhoneBoy . Also, to add to that, if you have multiple external links, you can set up ISP redundancy, but most people in that case would make use of HA scenario, active-standby in case of primary isp link going down, so the other one can take over for VPN.
Andy