CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.

First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E


Results 1 to 4 of 4

Thread: Numbered VTI in cluster

  1. #1
    Join Date
    Rep Power

    Default Numbered VTI in cluster


    I'm (still) relatively inexperienced with anything other than basic rule / object creation in Checkpoint, so apologies if this is a daft question. I've tried the admin guide and google, but it still isn't clear.

    I'm in the process of setting up a site-to-site VPN using our R77.30 cluster here. The design that has come down from the architects is using numbered VTIs for route based VPNs.

    They have specified 10.x.x.x addresses for the VTIs, and have given me a local & remote IP for the cluster. My understanding is that each interface needs it's own IP address (as the routing tables are still independent in a cluster), so I'd need a unique IP for each cluster member.

    So, my question is, do I need just the one IP and I can use it when I create the interface in gaia and in dashboard as the cluster address, or do I need 3 addresses, one for each physical box & one for the virtual IP?

    Thanks in advance


  2. #2
    Join Date
    DFW, TX
    Rep Power

    Default Re: Numbered VTI in cluster

    That's a really good question. I've done a lot with VTIs, but not recently, and I don't remember the answer.

    It should be pretty easy to test in a lab. You just need three VMs. One standalone firewall to represent the remote end, and two for a cluster (which can be managed by the standalone).

    I don't know of any reason you couldn't stick a cluster VIP on a numbered VTI. There's no ARP, so the cluster VIP would ultimately just be a set of NAT rules for outgoing and incoming traffic from and to the interfaces themselves (i.e., for dynamic routing adjacencies). That traffic works just as well on non-monitored private interfaces, though, so a cluster VIP shouldn't be necessary.

    I'll test it out if I get some free time.

  3. #3
    Join Date
    Rep Power

    Default Re: Numbered VTI in cluster

    When I configure VTI then to be honest always using 169.254.x.x addresses. Is used as unique to the local box and won't overlap with actual networks.

    What have is each member gets it's own IP address then in the SmartConsole configure the Cluster for the VTI.

    The Remote IP that configure in the VTI would be the Cluster IP for the remote end,

    Tell the remote end the Cluster VTI.

    Never used the Cluster IP directly on each member, always done the 3 IP.

  4. #4
    Join Date
    Rep Power

    Default Re: Numbered VTI in cluster

    Thanks for the replies.

    Doing a bit more research brings up sk100726 (https://supportcenter.checkpoint.com...=1562615083189) which I read as suggesting 3 IPs are needed per VTI.

    Sent from my iPhone using Tapatalk Pro

Similar Threads

  1. Numbered Interface - VTI
    By ankda14 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 1
    Last Post: 2019-06-11, 05:52
  2. Replies: 1
    Last Post: 2018-03-07, 08:09
  3. Migrating from VRRP Cluster to Load Sharing CLuster XL
    By blason in forum Advanced Networking & Clustering Blade
    Replies: 6
    Last Post: 2017-10-24, 03:06
  4. IPSO Cluster cphaprob -a if missing cluster interface
    By ecesureshkumar in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 5
    Last Post: 2017-04-19, 09:38
  5. R75 cluster object corrupt. Cluster not passing traffic
    By jmcgrady in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 0
    Last Post: 2011-12-01, 23:53


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts