Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SaffaRamma
Participant

Backup VPN Interfaces

Interesting one which I believe SHOULD have a simple answer however I am struggling here!

I have a customer with the below environment (IP addresses are not the originals):

1 x SMS (This SMS manages both clusters defined below and sits behind GW-Cluster-A. i.e. it manages GW-Cluster-B over the internet but GW-Cluster-A via the internal network)

GW-Cluster-A (2 x 5000 appliances)

InterfaceVIPGWA1GWA2
eth0 (Internet)20.0.0.1/2420.0.0.2/2420.0.0.3/24
eth1 (LAN)192.168.10.1/24192.168.10.2/24192.168.10.3/24
eth2 (Microwave1 P-2-P)10.10.10.1/2410.10.10.2/2410.10.10.3/24
eth3 (Microwave2 P-2-P)10.10.20.1/2410.10.20.2/2410.10.20.3/24

 

GW-Cluster-A (2 x 1500 SMB appliances - NB!!!)

InterfaceVIPGWA1GWA2
eth0 (WAN)30.0.0.1/2430.0.0.2/2430.0.0.3/24
eth1 (LAN)192.168.20.1/24192.168.20.2/24192.168.20.3/24
eth2 (Microwave1 P-2-P)10.10.10.4/2410.10.10.5/2410.10.10.6/24
eth3 (Microwave2 P-2-P)10.10.20.4/2410.10.20.5/2410.10.20.6/24

 

The requirement is for a site-to-site VPN to be established between both GW-Cluster-A and GW-Cluster-B utilising eth0 as the primary VPN interface and eth2 and eth3 as backup VPN interfaces.

1. Primary VPN over: eth0 on both clusters

2. Backup VPN 1 over: eth2 on both clusters

3. Backup VPN 2 over: eth3 on both clusters

This in theory should be pretty straight-forward using Link Selection. The issue is ensuring that the routes to each LAN subnet are added/removed as the VPN fails over. This requires monitoring of remote IP's and works pretty well using BFD however that isn't supported on SMB's. The other thought was to use Route-Based VPN's however it doesn't appear possible to have multiple VTI's to a single device due to the requirement to use the peer name in the config (i.e. the peer name would be the same for all three interfaces which again, isn't supported).

There's the added complication that we ONLY want VPN traffic to failover and not ALL traffic using the default route as that will saturate the microwave links.

I guess there is the option to use OSPF/BGP although I'm not certain how well that plays with domain-based VPN's.

The additional issue is the requirement to manage the SMB's over the internet and if the internet links go down (eth0), switch over to manage the device over the microwave links which would then of course be trying to manage the device over an IP not defined as the "Main address". This is less of an issue and we can live without this however it would be nice to ensure constant management of the devices.

Is what we're trying to achieve outside the realms of what the Check Point's can do?

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

While I know you can fail over specific services, I don't think you can fail over VPN and not fail over anything else.
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

I could be wrong, but I don't think you need multiple VTIs per peer since the underlying routing should take care of the multiple paths.

Unfortunately, there is no way to have multiple Main IPs for a given object.
You can always change it and push policy, of course, but that would be a manual thing (or something you could script maybe).

0 Kudos
SaffaRamma
Participant

Thanks @PhoneBoy. I was under the impression that we could fail the VPN traffic over using VPN Link Selection (without ISP redundancy) and this would essentially be based on the route's in the routing table?

Interesting idea using a single VTI with multiple interfaces...I'll give this a go in my lab. Not sure how it would play with VPN Link Selection. I'll report back.

0 Kudos
PhoneBoy
Admin
Admin

That is my understanding as well. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events