ISP LoadBalance / VPN Site to Site

[jsmwalker]

Hi

New to Checkpoint, we have a load balanced ISP setup, one is a 4Meg Leased Line, the other 19Meg ADSL line, the way we want this to work is that the 19Meg is the primary line, which we can setup and get working fine, however this then breaks the site to site VPN's as they run across the 4Meg connection, have tried to bind them to this interface but does not seem to work, can anyone give me a rough guidline as to what needs to be set, we are running a Crossbeam with R60A Checkpoint.

Cheers in advance.

J

[Danielpb]

Hi

I think static routes might be able to resolve the VPN link route issues..not sure how this is added on a crossbeam system.

So the route would be

Dst Peer ##.##.##.##/32- next hop 19mb lease line router.
you might also need to add route the encryption domains(subnets) for that peer down the 19mb router.

Also do a search on this forum as I think with ISP redundancy checkpoint routes certain traffic down the primary connection, especial if you have your own mail relay box behind the firewall.

[mcnallym]

With ISP Redundancy then all Static NAT is sent out via the primary interface if in load balancing mode. Hide Nat is balanceed across both.

If you want to route your VPN tunnels down a line then turn off ISP Redundancy and just use static routes via the 4Mb line. You will need a route for the VPN Gateway, you will also then probably need to add a route for the encryption domains via the 4Mb line.

[jsmwalker]

Ok, seem to now have got this working, however, it seems that using the VPN link selection works, but I seem to have to apply the primary/backup interfaces, apply this, then deselect the correct VPN link selection, apply, then select the correct link selection and all works.

But this has left me with one problem, with Static Nat's on one server, this server is now unable to communcate with the outside world (another server seems unaffected so not sure why) However reading the documentation it appears I need to setup a Hidden Nat, which is fine and the server can communcate with the outside world, however the nat does not appear to work on the backup route (4mb line)

This is all getting quite frustrating, am sure its my inexperience with the Checkpoint, but there does appear to be some weirdness' here (guess all equipment has its strange behaviour)

Basically the server that needs access to the outside world is 192.168.1.1 for example, and only needs smtp published, surely i just create a hide rule saying:

Destination Outside 4mb IP
Port Smtp
Translated 192.168.1.1
Port smtp

And that should all work?

Any help sooooo gratefully received.

J

[mcnallym]

Hide NAT if you have ISP Redundancy needs to be set to Hide Behind Gateway so that it hides behind the gateway interface that it leaves from.

There is also an excellent article in Check Point knowledgebase that explains exactly what needs to be done to create working Static NAT and Hide NAT with ISP Redundancy as it is not the same as in normal mode where you need to create dynamic objects and then define them on the local boxes themselves to get it to work.

[jsmwalker]

Have tried this, but will give it another go, just didn't know if I am missing something really obvious (as don't understand why the other connection remained working with a static Nat, and this one failed!!!)

J