This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
abdelmajid_lakb
Explorer
‎2023-06-19 02:59 AM

VPN tunnels S2S and remote access using  IPSec VPN - Link Selection with Natted Ip address

we already have a working CP cluster VPN tunnels S2S and remote access using  IPSec VPN - Link Selection (Alway use this ip adress --- the 1er ISP public ip address, that is used as the a static NAT on Peplink load balancer).

Now we are trying to implement a new VPN tunnels on the second link (ISP2) while ensuring the continuity of existing tunnels over ISP1.

Our primary goal is to incorporate the new VPN tunnels on ISP2 while keeping the existing tunnels on ISP1 operational. We should focus on maintaining connectivity and ensuring a smooth transition to use  the both links ISP1 for the existing tunnels and ISP2 for the new ones .

we already tied a ISP redundancy that goes to failure, we even created support tickets with Checkpoint support, the last one is "6-0003628640" with no success .

This is very challenging for us since the customer was happy with the solution till this issue raises and other technologies like Fortigate and Palo Alto are arround.

any suggestion or workarround from you checkpoint gurus that can help will be appreciated.

Thanks 

0 Kudos
2 Replies
KristofV
Collaborator
‎2023-06-19 07:52 AM

Hello,

Your S2S tunnels, are these with Check Point devices managed by the same SMS, or with 3th party devices ?

If it is a 3th party, this device will not know about the link selection for remote peers (Always use this address, statically NATed IP ) and can use your ISP2 IP address. You will have to put a host route to ISP2 for the public IP of the new S2S VPN.

For Check Point managed devices, ISP redundancy should be able to failover the VPN to ISP2 if there is a failure, but I don't think it is possible to point al new peers to ISP2 while all others have ISP1. ( Maybe changing the ISP redundancy settings and only pushing them to the new peers will work, but not optimal ). 

What issues did you get with ISP redundancy ? ( we also got a lot of issues, but is is a bit stable now, only drops once a week )

Maybe Check Point SDWAN is a solution for you ?

0 Kudos
CheckPointerXL
Advisor
‎2023-06-24 12:26 AM

Your main ip address is a private ip or a public one? It is the IP configured on remote peers side?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events