Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Gomboragchaa
Advisor

Multiple VPN - MEP

How can i do VPN optik link with internet IPSec VPN.

May i use MEP? Which ip address become main IP of Cluster Checkpoints

0 Kudos
8 Replies
PhoneBoy
Admin
Admin

MEP implies you have two VPN gateways responsible for the exact same locations.

That doesn't appear to be the case here, so MEP is not appropriate.

What you're probably after is Link Selection.

Refer to the VPN Site to Site docs: Site to Site VPN R80.10 - Part of Check Point Infinity 

Gomboragchaa
Advisor

Thank you for your response. 

I tried Link Selection.

But it is cannot connecting concurrently vpn connections.

May i need to create VTI interface on checkpoint?

0 Kudos
PhoneBoy
Admin
Admin

How did you configure Link Selection?

You can configure it in an HA mode (only one VPN link is active) or in a Load Sharing mode (both VPN links are active). 

Various scenarios and how to configure them are described in the documentation I linked above.

0 Kudos
Norbert_Bohusch
Advisor

Link Selection Probing relies on a Check Point proprietary protocol.

As your peers in branch location are Cisco ASA, this will not work, as far as I know!

PhoneBoy
Admin
Admin

Right and the documentation discusses how to deal with this.

0 Kudos
Gomboragchaa
Advisor

Thank you Norbert Bohusch.

Your right. I tested many times. It can connecting only Checkpoint gateways.

Do you have a any solution of my case? Please give me advice.

i am still finding convenient solution.

0 Kudos
KennyManrique
Advisor

Hi Gomboragchaa,

My recommendation is you update to R80.10 and use Route Based VPN (numbered) only with Branch-1 while maintaing Domain Based with the other two locations (only one link to them). Also would be convenient you change the ClusterXL mode to HA instead LS because the implications on tunnel establishment with remote peers according to ATRG: VPN Core and VPN Site-to-Site with 3rd party .

You will have to update your ASA device on Branch-1 to at least 9.7.1 version to support Route Based VPN deployments Release Notes for the Cisco ASA Series, 9.7(x) - Cisco

Regards.

Gomboragchaa
Advisor

Thank you for your advice Kenny Manrique‌,

Branch1's ASA Version 8.4(7)1. I am not sure to upgrade Cisco IOS and i think it is the best solution. I will inquire more for Route Based VPN.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events