How to configure two different VPNs (one primary and one secondary) from Checkpoints firewalls to the Cisco ASA of a partner company, each one from a different ISP?
The idea is to have the maximum possible redundancy in case of loss of an ISP, VPN downtime…etc… to be able to continue working.
How could I configure the checkpoints for this? is it necessary to change the routes? and the Nateo?
Anyway, I am opened to whatever topology alternative.
I attached my topology proposal.
Best regards.
Surely it’s as simple as having some dynamic routing between the Checkpoint and the router or routers that the ISP links are on? The endpoint address of the VPN (the ASA) is not changing so you’re only really concerned with the path to this destination going via ISP A unless it fails, in which case you want to use ISP B. The ASA won’t care what path the encrypted packets take to get to it and if the failover is quick the ASA may not even tear the VPN down.
Or am I missing something fundamental?
It’s been a while since I used Checkpoint, but the routing config side of things would be done at the OS level, eg GAIA, and then Checkpoint with the VPN runs on top of that. As Checkpoint will only have one interface, albeit virtual, I think you just create your site to site VPN and it will use the virtual address and cluster failover will take care of which node the traffic actually comes from.
On the ASA, all you do is configure the VPN with the primary peer address (whatever public address you’ll NAT behind on ISP 1). Then, add the public address for ISP 2 as a backup peer. In ASDM, this is under configuration → site-to-site VPN → advanced → crypto maps. If you’re using CLI, you would do “crypto map set peer <ip.of.peer.1> <ip.of.peer.2>”.
I think you then need to create a tunnel group to match the IP of the ISP 2 address otherwise the ASA won’t accept the VPN.
Surely it’s as simple as having some dynamic routing between the Checkpoint and the router or routers that the ISP links are on? The endpoint address of the VPN (the ASA) is not changing so you’re only really concerned with the path to this destination going via ISP A unless it fails, in which case you want to use ISP B. The ASA won’t care what path the encrypted packets take to get to it and if the failover is quick the ASA may not even tear the VPN down.
Hi!
You are right, the endpoint address of the ASA never changes.
The fundamental for me it’s the endpoint IP address of the Checkpoint, this IP should be public but the ISP1 and ISP2 have differents IP ranges (obviously), so, i don’t know how to configure it.
Kind regards.
Just to put you in situation, i want to do something similar like:
But i am not able to find anything for CheckPoint.
Kind regards.