This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Juan_
Collaborator
‎2020-04-08 10:38 AM

VPN redundancy - On premise to AWS

Hi Community.

With the increase in popularity of AWS, we have been receiving many requests to set up or troubleshoot VPNs of this kind.

 

image.png

 

One of the most popular calls is due a VPN outage caused in deployments with static routes  (sk100726) where customers have ticked the "ping" checkbox in the route, as mentioned in the sk by the way. 

From time to time the route disappears from the route table and thus traffic is not forwarded. 

This is fine, you remove the tick from ping checkbox in the static route and everything is back to normal (many TAC cases opened confirming this)

 

But this raises the question that automatic redundancy does not work and that sk100726 gives a false sense of security.

 

What's your approach when configuring mesh tunnels like these towards AWS?

Has anyone tried sk164355? Is BGP the best option? 

 

Thanks in advance

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2020-04-09 09:45 PM

Are you using Dead Peer Detection?
Juan_
Collaborator
‎2020-04-10 11:00 AM
In response to PhoneBoy

As responder mode.

But for it to help with the redundancy it should be R80.30s sk164355, is it? In a MEP style + DPD
0 Kudos
PhoneBoy
Admin
Admin
‎2020-04-10 04:36 PM
In response to Juan_

sk164355 seems like the right approach, yes.
0 Kudos
Norbert_Bohusch
Advisor
‎2020-04-10 12:02 AM

I think the best way would be to set up 2 VPNs with routed VPN (VTIs) and BGP for this:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Cyber_Serge
Collaborator
‎2020-04-10 02:15 PM
In response to Norbert_Bohusch

Hi, does it require BGP?

From the AWS documentation it also support 2 routerd VTI without BGP. Since VTI is route based, if 1st VTI VPN tunnel is down, would it route through 2nd VTI VPN tunnel automatically?
https://docs.aws.amazon.com/vpc/latest/adminguide/check-point-NoBGP.html
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events