CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 9 of 9

Thread: VPN Redundancy how to?

  1. #1
    Join Date
    2011-10-20
    Posts
    163
    Rep Power
    7

    Default VPN Redundancy how to?

    I have a scenario and wanted to configure a VPN Redundacy.

    I have a Firewall cluster behind a load balancer, the two valid IP (Internet IP) is configured on load balancer and we have a intermediate network between LB and FW.

    Now the Link Selection is configured as NATed with the external IP.

    I wanted to configure a VPN Redundancy, but don't know how.

    The configuration must works with CP to CP and with another type of FW.

  2. #2
    Join Date
    2014-01-23
    Posts
    28
    Rep Power
    0

    Default Re: VPN Redundancy how to?

    may want to look at link selection page under VPN tab. "use probing Link redundancy mode" sk56384 outlines some of the concepts of this feature.

  3. #3
    Join Date
    2011-10-20
    Posts
    163
    Rep Power
    7

    Default Re: VPN Redundancy how to?

    Quote Originally Posted by tjtj211 View Post
    may want to look at link selection page under VPN tab. "use probing Link redundancy mode" sk56384 outlines some of the concepts of this feature.
    I know that, but this doesn't work with another kind of FW.

  4. #4
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,166
    Rep Power
    13

    Default Re: VPN Redundancy how to?

    Quote Originally Posted by crosspopz View Post
    I have a scenario and wanted to configure a VPN Redundacy.

    I have a Firewall cluster behind a load balancer, the two valid IP (Internet IP) is configured on load balancer and we have a intermediate network between LB and FW.

    Now the Link Selection is configured as NATed with the external IP.

    I wanted to configure a VPN Redundancy, but don't know how.

    The configuration must works with CP to CP and with another type of FW.
    For redundant CheckPoint to CheckPoint VPNs you leverage the proprietary protocol RDP via ongoing probing under Link Selection, have set it up and it works.

    There is no easy way to do this with a 3rd party Interoperable Device object. One horribly convoluted way I just thought of but may not even work is the following:

    1) Enable Dead Peer Detection (DPD) which is possible in R77.10 and later (sk97746) on the Check Point and 3rd party gateway

    2) On the Interoperable Device (ID) VPN object representing the 3rd party peer, set for Dynamic Address on the General Properties screen and on the Topology page; on Link Selection page of ID select DNS Resolving and type in a DNS resolvable name like partner.blah.com

    3) Because DNS resolving is being used to resolve the peer IP address, certificates must be used to authenticate IKE phase 1 (a pre-shared secret cannot be used here which is a real killer). Import the CA certificate of your peer's CA as trusted, and export your Internal Certificate Authority's (ICA) certificate and send it to the peer's administrator who will import it as trusted.

    4) Set up an automated process on your Network Management Station (NMS) that constantly pings both external addresses of the 3rd party peer, suppose they are 129.82.102.32 (primary) and 63.55.55.1 (secondary). If both addresses are responding, a script will instruct your local DNS server to return IP address 129.82.102.32 when a lookup for name partner.blah.com occurs on your internal DNS server. If 129.82.102.32 stops responding, the NMS script updates the A record for partner.blah.com from 129.82.102.32 to 63.55.55.1. DPD on the firewall figures out that the tunnel is dead within 10 seconds, brings down the tunnel, does a DNS lookup of partner.blah.com and tries the tunnel again.

    The only thing I'm not sure about is whether the firewall would do a fresh DNS lookup every time for partner.blah.com or just look in its local cache. I guess you could get around this by setting the TTL for the partner.blah.com A record to a very low value like 10 seconds, although I don't know if Gaia would honor such a low TTL.

    I said it was convoluted...now that DPD is available in R77.10 it sure would be nice to be able to do VPN redundancy with 3rd party VPN devices...

  5. #5
    Join Date
    2018-03-01
    Location
    France
    Posts
    6
    Rep Power
    0

    Default Re: VPN Redundancy how to?

    I'm having the same problem :
    - local : R80.10 gateways with ISP redundancy ( local ISP redundancy is working fine with VPN)
    - remote 3rd party firewalls (stormshield) with 2 ISP also.

    The DNS solution adds a lot of dependencies (script, DNS update, etc...).

    Is there now with R80.10 a simple way to make local gateways use the two remote IP address (HA not LB) ?

    (Tried MEP but works only with CP gateways).

    Thanks in advance !

    Patrick

  6. #6
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,610
    Rep Power
    8

    Default Re: VPN Redundancy how to?

    Quote Originally Posted by PatrickProy View Post
    I'm having the same problem :
    - local : R80.10 gateways with ISP redundancy ( local ISP redundancy is working fine with VPN)
    - remote 3rd party firewalls (stormshield) with 2 ISP also.

    The DNS solution adds a lot of dependencies (script, DNS update, etc...).

    Is there now with R80.10 a simple way to make local gateways use the two remote IP address (HA not LB) ?

    (Tried MEP but works only with CP gateways).

    Thanks in advance !

    Patrick
    This might be a little exotic, but does the remote side support VTI or route based VPNs? Its the same thing just a different name. They're interesting because the vpn doesn't use local and remote encryption domains. You end up with a virtual interface that operates like a point to point connect. IP x is you IP y is them. Then you can run ospf or bgp across and cost it like it was a wan link then you get the HA aspect. Both tunnels would be up all the time.

  7. #7
    Join Date
    2018-03-01
    Location
    France
    Posts
    6
    Rep Power
    0

    Default Re: VPN Redundancy how to?

    Quote Originally Posted by jflemingeds View Post
    This might be a little exotic, but does the remote side support VTI or route based VPNs? Its the same thing just a different name. They're interesting because the vpn doesn't use local and remote encryption domains. You end up with a virtual interface that operates like a point to point connect. IP x is you IP y is them. Then you can run ospf or bgp across and cost it like it was a wan link then you get the HA aspect. Both tunnels would be up all the time.
    When I was looking at the VPN docs, I saw this VPN routing VTI but the problem is that the admin on the other side doesn't know much about dynamic routing..., so the whole thing can easily end up in a GREAT routing mess :)

    But your answer gave me an idea : instead of dynamic routing, I could create two static routes with different weights. This could achieve HA with not much configuration on the other side.
    Problems now :
    - I'm not sure that the primary static route will be disabled when vti goes down.
    - Will the other firewall support VTI ? VTI is a CheckPoint name, but maybe it's enough if I can get local IP from remote firewall.

    If anybody has ever done this.... please help !

    I'll update this thread if I can make something work.


    Thanks for the answer,

    Patrick

  8. #8
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    207
    Rep Power
    12

    Default Re: VPN Redundancy how to?

    Quote Originally Posted by PatrickProy View Post
    When I was looking at the VPN docs, I saw this VPN routing VTI but the problem is that the admin on the other side doesn't know much about dynamic routing..., so the whole thing can easily end up in a GREAT routing mess :)

    But your answer gave me an idea : instead of dynamic routing, I could create two static routes with different weights. This could achieve HA with not much configuration on the other side.
    Problems now :
    - I'm not sure that the primary static route will be disabled when vti goes down.
    - Will the other firewall support VTI ? VTI is a CheckPoint name, but maybe it's enough if I can get local IP from remote firewall.

    If anybody has ever done this.... please help !

    I'll update this thread if I can make something work.


    Thanks for the answer,

    Patrick
    The problem is the VTI never really "goes down" in the sense of losing link. You can always send traffic out the VTI. The firewall will try to encrypt it. If the firewall can't negotiate a key pair with the remote peer, the VTI is totally unaware. In your proposed deployment with static routes, traffic would only ever use the one link unless somebody changed the route weight "manually". It wouldn't happen automatically like it does when you unplug a physical interface with a static route leading out of it.

    You can definitely do VTIs on a Check Point firewall and non-virtual-interface-based IPSec on the other end. You just can't do dynamic routing over it unless both sides know to send and receive dynamic routing updates and agree on the IP addresses in use.

    VTIs are a great solution to this problem at a technical level, but it sounds like they wouldn't work for you.
    Zimmie

  9. #9
    Join Date
    2018-03-01
    Location
    France
    Posts
    6
    Rep Power
    0

    Default Re: VPN Redundancy how to?

    Quote Originally Posted by Bob_Zimmerman View Post
    The problem is the VTI never really "goes down" in the sense of losing link. [....]
    I'll discuss dynamic routing again with the other admin, or do some scripting if dynamic routing is not an option (but in this case the DNS solution can be better).

    I also have to check what happens in case of asymetrical vpn routing (packet going into first tunnnel and response into the other one.

    Regards,

    Patrick

Similar Threads

  1. ISP Redundancy
    By lil_tud in forum NAT (Network Address Translation)
    Replies: 7
    Last Post: 2011-03-01, 08:13
  2. ISP Redundancy in VSX
    By ArturoGM in forum VPN-1 VSX
    Replies: 1
    Last Post: 2008-02-18, 07:08
  3. 3rd ISP in ISP Redundancy
    By edb105 in forum ISP Redundancy
    Replies: 1
    Last Post: 2008-02-06, 21:07
  4. ISP Redundancy ?
    By yipster in forum ISP Redundancy
    Replies: 1
    Last Post: 2007-01-14, 12:38
  5. ISP Redundancy
    By jchilders1 in forum ISP Redundancy
    Replies: 0
    Last Post: 2005-10-10, 14:26

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •