- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- VPN tunnels S2S and remote access using IPSec VPN...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN tunnels S2S and remote access using IPSec VPN - Link Selection with Natted Ip address
we already have a working CP cluster VPN tunnels S2S and remote access using IPSec VPN - Link Selection (Alway use this ip adress --- the 1er ISP public ip address, that is used as the a static NAT on Peplink load balancer).
Now we are trying to implement a new VPN tunnels on the second link (ISP2) while ensuring the continuity of existing tunnels over ISP1.
Our primary goal is to incorporate the new VPN tunnels on ISP2 while keeping the existing tunnels on ISP1 operational. We should focus on maintaining connectivity and ensuring a smooth transition to use the both links ISP1 for the existing tunnels and ISP2 for the new ones .
we already tied a ISP redundancy that goes to failure, we even created support tickets with Checkpoint support, the last one is "6-0003628640" with no success .
This is very challenging for us since the customer was happy with the solution till this issue raises and other technologies like Fortigate and Palo Alto are arround.
any suggestion or workarround from you checkpoint gurus that can help will be appreciated.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Your S2S tunnels, are these with Check Point devices managed by the same SMS, or with 3th party devices ?
If it is a 3th party, this device will not know about the link selection for remote peers (Always use this address, statically NATed IP ) and can use your ISP2 IP address. You will have to put a host route to ISP2 for the public IP of the new S2S VPN.
For Check Point managed devices, ISP redundancy should be able to failover the VPN to ISP2 if there is a failure, but I don't think it is possible to point al new peers to ISP2 while all others have ISP1. ( Maybe changing the ISP redundancy settings and only pushing them to the new peers will work, but not optimal ).
What issues did you get with ISP redundancy ? ( we also got a lot of issues, but is is a bit stable now, only drops once a week )
Maybe Check Point SDWAN is a solution for you ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your main ip address is a private ip or a public one? It is the IP configured on remote peers side?