CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


CPUG Challenge 2018?? We will be holding another CPUG Challenge for 2018.
The plan is to time it around CPX again (earlier this year), but not necessarily limit it to those in attendance.
I'll provide more details as we get a bit closer, but be ready! -E

 

Results 1 to 14 of 14

Thread: ISP Redundany Configuration

  1. #1
    Join Date
    2011-10-03
    Posts
    76
    Rep Power
    7

    Default ISP Redundany Configuration

    Hi,

    We have two 12200 VSX aplliance which are configured in cluster (VSLS) with one ISP (ISP1).
    We have a setup as follows;

    Server ----- VPN Router ----- Firewall ---- ISP1 -------------- IPSec VPN Client (Almost 10 Client)

    VPN Router Interface in Natted on firewall with pupblic ip of ISP1 for establishing IPSec VPN between client and VPN Router.It work perfectely fine.

    Now we have praposed one more ISP (ISP2) for ISP failover.
    1. How can we configure ISP Failover on Checkpoint firewall?
    2. How can we configure Natting and other thing. When primary link (ISP1) goes down, traffic will move on secondary link (ISP2) but client have ISP1 public ip configured for Ipesc VPN. How can we ride on this?

    Any kind of help is appreciated.

    Thanx
    Arjun
    Thanx
    Arjun

  2. #2
    Join Date
    2007-06-04
    Posts
    3,246
    Rep Power
    15

    Default Re: ISP Redundany Configuration

    https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&soluti onid=sk79700&partition=General&product=VSX"

    Will see that ISP Redundancy on VSX is NOT supported. ( Hopefully will get removed from normal gateways as well )
    ISP Redundancy is the feature that is used for NATing depending upon the link that is being used ( when/if it works )

    You can probably tell from this that NOT a fan of ISP Redundancy on Check Point.

    You will likely need to look at an External Product such as F5 LTM to provide the ISP Redundancy whereby the F5 sits outside of the Firewall and handles the NAT/Link Selection for you. Isn't something that personally worked with however, hopefully others here have more experience with suitable products that can be used.

  3. #3
    Join Date
    2011-10-03
    Posts
    76
    Rep Power
    7

    Default Re: ISP Redundany Configuration

    Quote Originally Posted by mcnallym View Post
    https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&soluti onid=sk79700&partition=General&product=VSX"

    Will see that ISP Redundancy on VSX is NOT supported. ( Hopefully will get removed from normal gateways as well )
    ISP Redundancy is the feature that is used for NATing depending upon the link that is being used ( when/if it works )

    You can probably tell from this that NOT a fan of ISP Redundancy on Check Point.

    You will likely need to look at an External Product such as F5 LTM to provide the ISP Redundancy whereby the F5 sits outside of the Firewall and handles the NAT/Link Selection for you. Isn't something that personally worked with however, hopefully others here have more experience with suitable products that can be used.

    Hi mcnallym,

    Provided link is opening.
    https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&soluti onid=sk79700&partition=General&product=VSX"
    Giving error "Solution Could not be found in the system"

    Is there any another way.

    Thanx for ur revert.
    Thanx
    Arjun

  4. #4
    Join Date
    2011-10-03
    Posts
    76
    Rep Power
    7

    Default Re: ISP Redundany Configuration

    Quote Originally Posted by mcnallym View Post
    https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&soluti onid=sk79700&partition=General&product=VSX"

    Will see that ISP Redundancy on VSX is NOT supported. ( Hopefully will get removed from normal gateways as well )
    ISP Redundancy is the feature that is used for NATing depending upon the link that is being used ( when/if it works )

    You can probably tell from this that NOT a fan of ISP Redundancy on Check Point.

    You will likely need to look at an External Product such as F5 LTM to provide the ISP Redundancy whereby the F5 sits outside of the Firewall and handles the NAT/Link Selection for you. Isn't something that personally worked with however, hopefully others here have more experience with suitable products that can be used.

    Hi,

    Second thing also I have checked.
    In version R77.30, there is an option for ISP redundancy.
    Thanx
    Arjun

  5. #5
    Join Date
    2007-06-04
    Posts
    3,246
    Rep Power
    15

    Default Re: ISP Redundany Configuration

    sk79700 is the SK article, so open that on the Check Point support site.

    Is an SK article showing VSX supported features on R75.40VS and above and breaks down what is available on the VSX Gateways

    Regular gateways support ISP Redundancy - VSX Gateways don't

  6. #6
    Join Date
    2011-10-03
    Posts
    76
    Rep Power
    7

    Default Re: ISP Redundany Configuration

    Quote Originally Posted by mcnallym View Post
    sk79700 is the SK article, so open that on the Check Point support site.

    Is an SK article showing VSX supported features on R75.40VS and above and breaks down what is available on the VSX Gateways

    Regular gateways support ISP Redundancy - VSX Gateways don't

    Hi,

    ohh...ok.VSX not supporting ISP failover.

    If we connect second ISP on router..will it work? Is there any way to track link for failover?

    Thnx a lot.
    Thanx
    Arjun

  7. #7
    Join Date
    2011-10-03
    Posts
    76
    Rep Power
    7

    Default Re: ISP Redundany Configuration

    Quote Originally Posted by sawant.arjun@gmail.com View Post
    Hi,

    ohh...ok.VSX not supporting ISP failover.

    If we connect second ISP on router..will it work? Is there any way to track link for failover?

    Thnx a lot.

    Hi,

    If we convert gateway fro VSX ato security gateway and configured dual ISP successfuly.
    If my primary link goes down and failover happen then how remote client would know to connect with secondary ISP?
    It preconfigured with primary ISP only (IPSec).



    Thanx
    Arjun
    Thanx
    Arjun

  8. #8
    Join Date
    2007-06-04
    Posts
    3,246
    Rep Power
    15

    Default Re: ISP Redundany Configuration

    Quote Originally Posted by sawant.arjun@gmail.com View Post
    Hi,

    If we convert gateway fro VSX ato security gateway and configured dual ISP successfuly.
    If my primary link goes down and failover happen then how remote client would know to connect with secondary ISP?
    It preconfigured with primary ISP only (IPSec).



    Thanx
    Arjun
    Well if you convert to a regular gateway so that is just one gateway then yes you can implement ISP Redundancy however presumably you went VSX so could run multiple firewalls.

    However in terms of Remote Gateways

    Check Point - they define as the Gateway under the topology define both External Interfaces and then under the VPN Link Selection can select HA probing so will probe for the Primary ISP and then if no response try the Secondary

    Non-Check Point - R77.10 onwards supports DPD so would define two gateways , 1 for each ISP and then let it use DPD to determine that the primary ISP is up or not. sk108600 covers VPN with 3rd Party and covers off DPD as well

  9. #9
    Join Date
    2011-10-03
    Posts
    76
    Rep Power
    7

    Default Re: ISP Redundany Configuration

    Hi,

    thanx for revert.

    That is OK.
    "Check Point - they define as the Gateway under the topology define both External Interfaces and then under the VPN Link Selection can select HA probing so will probe for the Primary ISP and then if no response try the Secondary"

    But what about the Client side IPSec VPN configuration? It's IPSec VPN is configured with our primary ISP.On failure of our primary ISP, how it will connect to our secondary ISP for establishing VPN.

    Thanx
    Arjun
    Thanx
    Arjun

  10. #10
    Join Date
    2007-06-04
    Posts
    3,246
    Rep Power
    15

    Default Re: ISP Redundany Configuration

    Quote Originally Posted by sawant.arjun@gmail.com View Post
    Hi,

    thanx for revert.

    That is OK.
    "Check Point - they define as the Gateway under the topology define both External Interfaces and then under the VPN Link Selection can select HA probing so will probe for the Primary ISP and then if no response try the Secondary"

    But what about the Client side IPSec VPN configuration? It's IPSec VPN is configured with our primary ISP.On failure of our primary ISP, how it will connect to our secondary ISP for establishing VPN.

    Thanx
    Arjun
    Covered that on the line below. R77.10 onwards supports DPD (Dead Peer Detection) so should if Primary Drops go to the Second Gateway definition on there system which is your Secondary ISP link.

  11. #11
    Join Date
    2011-10-03
    Posts
    76
    Rep Power
    7

    Default Re: ISP Redundany Configuration

    Hi,

    I am asking about configuration at my remote client where IPSec VPN is configured on router for my primary ISP only.
    What about for my second ISP?
    Is it required to configured one more IPSec tunnel for my second ISP?

    Thanx
    Arjun
    Thanx
    Arjun

  12. #12
    Join Date
    2007-06-04
    Posts
    3,246
    Rep Power
    15

    Default Re: ISP Redundany Configuration

    Quote Originally Posted by sawant.arjun@gmail.com View Post
    Hi,

    I am asking about configuration at my remote client where IPSec VPN is configured on router for my primary ISP only.
    What about for my second ISP?
    Is it required to configured one more IPSec tunnel for my second ISP?

    Thanx
    Arjun
    That's what I said to do. Define 2 gateways 1 for each ISP and then use DPD to detect that the 1st is down so starts to use the second.

  13. #13
    Join Date
    2011-10-03
    Posts
    76
    Rep Power
    7

    Default Re: ISP Redundany Configuration

    Hi mcnallym,

    Thanx for your revert and patience for my queries.

    Now I got understanding about DPD. But I dont think to require two gateways on client router, He has his own ISP gateway.
    Any how client should ping my both the ISP.

    Below is the config on my client router.

    crypto isakmp keepalive 30 periodic

    crypto isakmp key ***** address <Existing ISP>
    crypto isakmp key ***** address <New ISP>

    crypto map <Name> 10 ipsec-isakmp
    set peer <Existing>
    set peer <New ISP>
    set transform-set <Name>
    match address <Acl Name>

    Pls correct me if anything wrong.
    Thanx
    Arjun

  14. #14
    Join Date
    2007-06-04
    Posts
    3,246
    Rep Power
    15

    Default Re: ISP Redundany Configuration

    Quote Originally Posted by sawant.arjun@gmail.com View Post
    Hi mcnallym,

    Thanx for your revert and patience for my queries.

    Now I got understanding about DPD. But I dont think to require two gateways on client router, He has his own ISP gateway.
    Any how client should ping my both the ISP.

    Below is the config on my client router.

    crypto isakmp keepalive 30 periodic

    crypto isakmp key ***** address <Existing ISP>
    crypto isakmp key ***** address <New ISP>

    crypto map <Name> 10 ipsec-isakmp
    set peer <Existing>
    set peer <New ISP>
    set transform-set <Name>
    match address <Acl Name>

    Pls correct me if anything wrong.
    That is correct you are setting two peers, ie two remote gateways to use for the crypto map. That tells the Client box that both IP / Remote Gateways are available for your networks.
    They will need to configure DPD on that box to look at both peer ip and if the primary ip fails try the secondary.

Similar Threads

  1. Non-DMI configuration
    By splat in forum VPN-1 VSX
    Replies: 2
    Last Post: 2010-07-05, 08:40
  2. NAT Configuration help
    By fsoliveira in forum NAT (Network Address Translation)
    Replies: 3
    Last Post: 2009-06-07, 10:08
  3. SCV Configuration How-to
    By deepakchopra in forum SecureClient/SecuRemote
    Replies: 3
    Last Post: 2008-11-15, 17:53
  4. DNS configuration
    By camel in forum ISP Redundancy
    Replies: 6
    Last Post: 2007-02-14, 06:15
  5. NAT configuration
    By Prabhu S in forum NAT (Network Address Translation)
    Replies: 1
    Last Post: 2005-10-17, 04:02

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •