Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Matlu
Advisor

Create IPSEC S2S VPN with a new ClusterXL interface

Good afternoon, everybody.

We currently have a ClusterXL on which we are already working on several VPNs.

What we want is to implement a new VPN against a partner, but making use of a new PUBLIC IP that we plan to add to our Infrastructure.

We have free interfaces in each ClusterXL member, and there we are going to configure a new PUBLIC IP, and what we want is to create a VPN making use of this new configuration.

Is this possible?

Thanks for your support.

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

Link Selection is how you determine what IP is used for VPN (configured in the cluster object under IPSec VPN > Link Selection).
There is no way to say “for VPN peer X, use this public IP” at least directly.
That said, you can use routing to influence this if the appropriate Link Selection setting is used.

0 Kudos
Matlu
Advisor

Hello,

Thank you for your prompt reply.

I was browsing through the Smartconsole options and indeed, I have not found something that allows me to select the new Public IP that is in another new interface of the Cluster.

I guess there is no way to do this.

0 Kudos
PhoneBoy
Admin
Admin

Routing can influence what IP is used.
That assumes you have configured appropriate static routes that route traffic for that VPN out that specific interface.
Please refer to the VPN guide for more details: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SitetoSiteVPN_AdminGuide/Top... 

0 Kudos
Matlu
Advisor

Thank you for the information.

An additional doubt, the "Main address" option that is found when opening the gateway/cluster object in the "Link Selection" section, selecting this option, makes the GATEWAY work as EXTERNAL IP, the IP that appears in the "General Properties"?

Thanks for all the support.

0 Kudos
garrod
Contributor

Correct, Main Address is pointing to general propeties

0 Kudos
PhoneBoy
Admin
Admin

Main Address refers to the IP address you have listed for the gateway object in General Properties.
This is not always an externally routable IP, which is one reason the Link Selection option exists.

0 Kudos
the_rock
Legend
Legend

I agree with @PhoneBoy . Also, to add to that, if you have multiple external links, you can set up ISP redundancy, but most people in that case would make use of HA scenario, active-standby in case of primary isp link going down, so the other one can take over for VPN.

Andy

0 Kudos
Upcoming Events

    CheckMates Events