CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 4 of 4

Thread: Redundant Domain-Based Site2Site IPSEC tunnel

  1. #1
    Join Date
    2018-05-13
    Posts
    13
    Rep Power
    0

    Default Redundant Domain-Based Site2Site IPSEC tunnel

    Hey there.

    Is it possible to configure 2 identical Domain based IPSEC VPN tunnels between Checkpoint Appliances,
    behaving as Primary & Backup VPN ?
    I heard that this can only be accomplished via Route based VPN (vti interfaces) and Static Routes inside Gaia.

    Thank you.

  2. #2
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    305
    Rep Power
    13

    Default Re: Redundant Domain-Based Site2Site IPSEC tunnel

    To confirm, you want a tunnel between FW-A and FW-B, then a second tunnel between FW-A and FW-C with the same networks behind FW-B and FW-C?

    If not, a diagram may help express what you want to build.
    Zimmie

  3. #3
    Join Date
    2018-05-13
    Posts
    13
    Rep Power
    0

    Default Re: Redundant Domain-Based Site2Site IPSEC tunnel

    No, suppose that FW-A has 1 leased link and FW-B has 2 xDSL Internet Links. I want a primary ipsec vpn between FW-A and FW-B via FW-Bs first xDSL Internet Link and and ipsec vpn tunnel between FW-A and FW-B via FW-Bs second xDSL Internet Link.

    How am I going to set this scenario up with Policy Based VPNs ?


    Quote Originally Posted by Bob_Zimmerman View Post
    To confirm, you want a tunnel between FW-A and FW-B, then a second tunnel between FW-A and FW-C with the same networks behind FW-B and FW-C?

    If not, a diagram may help express what you want to build.

  4. #4
    Join Date
    2007-06-04
    Posts
    3,301
    Rep Power
    17

    Default Re: Redundant Domain-Based Site2Site IPSEC tunnel

    Quote Originally Posted by nickliako View Post
    No, suppose that FW-A has 1 leased link and FW-B has 2 xDSL Internet Links. I want a primary ipsec vpn between FW-A and FW-B via FW-Bs first xDSL Internet Link and and ipsec vpn tunnel between FW-A and FW-B via FW-Bs second xDSL Internet Link.

    How am I going to set this scenario up with Policy Based VPNs ?
    Real Easy

    FW-B has two Internet Connections so presumably has ISP Redundancy configured so can use both lines.

    Use VPN Link Selection and configure to

    Use Probing. Link redundancy mode

    Set to High Availability

    Then under configure, specify to probe the two External Interfaces, select the First xDSL line IP as the Primary Address and use Using ongoing probing for the probing method.

    Install Policy to the two gateways.

    FW-A will then use the VPN Probing to test connectivity to the Primary xDSL line IP and if available will use that as the VPN Termination Point at FW-B. If that fails then will attempt to use the Secondary xDSL interface IP.

    If separate Manage then define FW-B as Externally Managed Gateway so that can configure the VPN Link Selection still.

Similar Threads

  1. Implementing Route based VPN & Domain based VPN on same gateway cluster
    By jakefury in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2015-11-05, 09:30
  2. Certificate Based IPSec VPN Question Around CRL Checking
    By mpottage in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 1
    Last Post: 2014-10-24, 12:53
  3. HOW TO IDENTIFY TRAFFIC USING IPSEC TUNNEL AND NON TUNNEL TRAFFIC ON CHECKPOINT SMART
    By gbollyd in forum Eventia Analyzer/Reporter/SmartView Reporter
    Replies: 4
    Last Post: 2011-09-21, 09:10
  4. SecureClient disconnected when site2site vpn tunnel up
    By anakalem in forum SecureClient/SecuRemote
    Replies: 3
    Last Post: 2008-01-24, 06:41
  5. Traceroute through an IPSEC-Based VPN
    By roadrunner in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2005-08-13, 15:12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •