PDA

View Full Version : Dual ISP IPSec tunnel Failover on 1100/1400



jerryroy1
2016-12-07, 14:09
Hello,

I would like to know if anyone has had success in getting a 1140/1430 to use 2 isp's and to fail over the IPSec tunnel? We also need it to be able to fail back. I can't imagine that this box has the capability of supporting two broadband links and Checkpoint did not have the fore-site to allow the IPSec tunnel to fail back and forth. What a mess.

1180

mcnallym
2016-12-07, 16:39
Hello,

I would like to know if anyone has had success in getting a 1140/1430 to use 2 isp's and to fail over the IPSec tunnel? We also need it to be able to fail back. I can't imagine that this box has the capability of supporting two broadband links and Checkpoint did not have the fore-site to allow the IPSec tunnel to fail back and forth. What a mess.

1180

Not exactly two ISP links however we have had a 1400 with an MPLS and an Internet Connection. Regular Check Point at the main Office. Used a VPN between the two over the MPLS with backup over the Internet. Configured Link Selection for Probing and had probe the MPLS first and the Internet Second Interface wise.

When disconnected the MPLS then the VPN failed over to using the Internet line no problem.
Plug in the MPLS and rerouted over the MPLS.

Worked first time straight out of the box, no tweaking config no nothing.

jerryroy1
2016-12-07, 20:21
Not exactly two ISP links however we have had a 1400 with an MPLS and an Internet Connection. Regular Check Point at the main Office. Used a VPN between the two over the MPLS with backup over the Internet. Configured Link Selection for Probing and had probe the MPLS first and the Internet Second Interface wise.

When disconnected the MPLS then the VPN failed over to using the Internet line no problem.
Plug in the MPLS and rerouted over the MPLS.

Worked first time straight out of the box, no tweaking config no nothing.

Are both links with static IP's?
The Link Selection was done on which object? The Center GW or the 1400?

laf_c
2016-12-08, 01:57
Are both links with static IP's?
The Link Selection was done on which object? The Center GW or the 1400?

What if you use VTIs instead of classic Policy VPN then run OSPF over the two tunnels/VTIs? That should work.

msjouw
2016-12-08, 01:59
Even with Dynamic IP's you can do this, there is, in the internet interface configuration, a mechanism for checking the availability of the link. The embedded devices use a 'Phone home' principal, so it does not care about static or dynamic IP's

mcnallym
2016-12-08, 03:55
Are both links with static IP's?
The Link Selection was done on which object? The Center GW or the 1400?

They are static IP addresses. Link Selection configured on both boxes so that VPN could be initiated in either direction.