Support Center > Search Results > SecureKnowledge Details
How To Create a Redundant, Service-based MPLS/Encrypted Link VPN Technical Level
Solution

Note: This article is related only to IPv4 traffic. IPSO acceleration is not supported for this solution.

Table of Contents:

  • Background
  • Topology
  • Network Requirements
  • Configuration
  • FAQ

Background

In some network topologies, a clear-text MPLS link (encryption is not required) is deployed in addition to an encrypted Internet link between Check Point VPN Gateways. (The MPLS link should be defined as external or have the networks exempt from the Anti-Spoofing list).

Customers can configure certain services to be routed through the MPLS link in clear-text, while other services are forward encrypted through the Internet link.

This topology requires an available route. If a link goes down, the VPN Gateway reroutes traffic on another available link.

This article shows the topology, describes the network requirements, and provides the configuration procedure.

 

Topology

 

Network Requirements

  1. VoIP traffic (control and data connections) and HTTP connections are routed through the eth1 interfaces of the VPN Security Gateways in clear text through the MPLS link.

  2. All other traffic (except VoIP and HTTP) is encrypted and routed through the eth0 interfaces of the VPN Security Gateways.

  3. If the clear-text link (MPLS) fails, VoIP traffic is rerouted (failover VoIP) to the encrypted link, without breaking any SIP session. However, the HTTP traffic stays on the MPLS link, and does not fail over.

  4. If the encrypted link goes down, all of its traffic is rerouted through the MPLS link clear-text packets.

  5. When a failed link recovers, the initial service-based link selection policy is enforced again.

 

Configuration

This configuration is based on the topology diagram shown above.

  1. Basic VPN Configuration:

    1. Enable VPN IPSec blade on both the London_GW and Paris_GW VPN Security Gateways.

    2. In the Topology tab of each VPN Security Gateway, make sure the VPN Domain is properly configured.

    3. Add the London_GW and Paris_GW VPN Security Gateways to a Site-to-Site VPN community.

    4. Install the policy.


  2. VPN Service-Based Link Selection:

    1. In the Link Selection page of each VPN Security Gateway, select Use probing and choose Load Sharing as the link redundancy mode. For example:


      Setting Use probing as the link selection method in a VPN Security Gateway object. London_GW  causes peer members in the VPN community, such as Paris_GW, to send RDP probing packets toward the VPN Security Gateway IP addresses to detect which link is alive.

      Once the peer VPN Security Gateways map available links according to the Link redundancy mode, VPN connections are routed on the available links.

      In a High Availability configuration, all VPN connections are routed through one available link. You can configure a primary link as the default for this configuration.

      In a Load Sharing configuration, VPN connections are shared equally between two available links. To configure service-based link selection, you should select Load Sharing on both VPN Security Gateways. This is because in Load Sharing configuration each VPN Security Gateway routes VPN connections on more than one available link.

    2. On the Link Selection page, click the Configure button to open the Probing Settings dialogue. Select Probe the following addresses and add the IP addresses of eth0 and eth1  for the configured VPN Security Gateway:

      This way, the peer VPN Security Gateways send RDP probing packets only to the relevant IP addresses available for VPN and not to all of the interfaces of the peer VPN Security Gateways (default option).

    3. On the Link Selection page of each peer VPN Security Gateway, select Route Based probing.

      If you enable "Service-based Link Selection," you must enable "Route based probing," even if alternative routes with lower metric are not defined.

    4. Optional: Configure faster detection of link failure. By default, an RDP session starts at 30 second intervals. An RDP session waits up to 10 seconds for an RDP reply packet before it concludes that a link is down. Therefore, with the default settings traffic takes up to 40 seconds to reroute (failover) on the available link. These RDP resolver settings also determine how Secure Clients probe Remote Access Security Gateways to detect available links.

      To improve link failure detection:
      1. In SmartConsole, go to Menu > Global properties.
      2. In the Advanced section at the bottom, click the Configure... button.
      3. In the left tree, expand the Firewall-1 section.
      4. Click Resolver.
      5. Configure the applicable values.
        These RDP resolver settings also affect Remote Access VPN clients that use probing to detect available link to the VPN Gateway. Check Point recommends lower values for Site-to-Site topologies.
        For example:
        • change resolver_ttl from 10 to 5
        • change resolver_session_interval from 30 to 10

    5. Service-Based Link Selection settings.

      Note - If redundancy is required for all the services, then skip this step.

      Edit this Service Based Link Selection configuration file on the Security Management Server:

      $FWDIR/conf/vpn_service_based_routing.conf

      The SIP and HTTP services that are explicitly configured within the configuration file are rerouted on the outgoing interfaces, in this case eth1 interfaces (MPLS link). The rest of the traffic is delivered by other available links that do not use eth1 as the outgoing interface. In this case, all other traffic is rerouted through the eth0 interfaces of each VPN Security Gateway (Internet link).

      If all outgoing interfaces of a VPN Security Gateway are configured to use a certain service, then traffic over other services is load shared between the available links. For example, if HTTP is configured on eth0 on both VPN Security Gateways, then:

      • SIP traffic is enforced on the MPLS link (eth1 interfaces).
      • HTTP traffic is enforced on the Internet link (eth0 interfaces).
      • All the other traffic is load shared between the two links.

      Configure the names, interfaces, and services of the two VPN Security Gateways to be the same as in SmartConsole / SmartDashboard. You can also quote a service group containing multiple services in the Service column.

  3. Configuring an MPLS link as clear-text, trusted link.

    Configure both end point interfaces of the trusted (MPLS) link, eth1@London_GW and eth1@Paris_GW, as "VPN trusted".

    Configure the trusted interface with GuiDBedit Tool for the two member VPN Security Gateways (London_GW and Paris_GW):

    1. Close all SmartConsole windows (SmartDashboard, SmartView Tracker, SmartView Monitor, etc.).

    2. Connect to Security Management Server / Domain Management Server with GuiDBedit Tool.

    3. In the left upper pane, select Table - Network Objects - network_objects.

    4. In the right upper pane, select the relevant Security Gateway / Cluster object.

    5. Press CTRL+F (or select Search - Find) - paste vpn_trusted - click Find Next.

    6. In the lower pane, below the eth1 interface (refer to the officialname attribute) - right-click on vpn_trusted - Edit... - choose true - click OK.

      Example for the London_GW VPN Security Gateway:

    7. Save the changes: select File - click  Save All.

    8. Close the GuiDBedit Tool.

    9. Connect to the Security Management Server / Domain Management Server with SmartDashboard.

    10. Install the policy onto the relevant Security Gateway / Cluster object.
  4. Routing.

    To detect availability of the links between the VPN Security Gateways and to reroute connections according to the service-based link selection policy, set the routes only between the external interfaces of the VPN gateways.

    RDP packets and IPSec packets designated to eth0 of the peer Security Gateway should be routed through the next hop router connected to the eth0 of the local Security Gateway.

    The eth1 packets designated to the IP address of eth1 of the peer gateway should go through eth1 of the local VPN Security Gateway.

    For the local VPN Security Gateway, you do not need to add routes to reach the peer VPN Security Gateway's VPN domain through the two links. However, since packets on the MPLS link are delivered as clear-text, routes to the VPN domains must be defined in the MPLS routers (connected to eth1).

 

FAQ

Show All

  • Which platforms are supported?
    Load Sharing Link Selection is supported in all platforms except UTM-1 Edge devices.
    Service-Based Link Selection is supported only in Gaia / SecurePlatform / Linux and IPSO OS.
    Service based link selection is NOT supported for Check Point R77.20 for 600 / 700 Appliances.
    VPN traffic between peers configured with Load Sharing or Service-Based link selection is not accelerated by IPSO acceleration devices.
  • What are the related limitations for R71 and above?
    Services defined as port range are not supported. Only the first port in the range will be considered.
    Encryption logs are issued for clear-text traffic released on trusted interfaces even though the traffic was not encrypted.
    When Route Based VPN with OSPF is configured with load sharing or service based link selection OSPF adjacencies might be lost.

    Workaround:
    Additional policy installation operation is restoring OSPF adjacencies.
    Trusted interfaces with MEP configuration are not supported.
    Trusted interfaces is not supported when CoreXL is enabled.
  • Consider there are more than one encrypted links between the gateways, are different VPN tunnels generated per each link?
    No, the VPN tunnels are only generated between VPN gateways according to the "VPN Tunnel Sharing" settings in the VPN gateway object or in the VPN community. Tunnels are not generated per link, the VPN gateway just redistributing the same VPN tunnel traffic among the available links.
  • What happens when all links between the VPN gateways are down?
    Once all links are down, Service-Based initial policy will be enforced. In this case, VoIP and HTTP traffic will be rerouted through MPLS and the rest of the traffic encrypted through the Internet.

    It is possible to configure an on-demand link that will be activated once all links are down:
    1. SmartDashboard - go to 'Policy' menu - click on 'Global Properties' - go to 'SmartDashboard Customization' - at the bottom, click on 'Configure...' button.
    2. Expand 'VPN Advanced Properties' section - go to 'Link Selection'.
    3. Check the box 'use_on_demand_links'.
    4. Set the minimum metric level for an on-demand link next to the 'on_demand_metric_min' command (a link is considered on-demand only if its metric is equal or higher than the configured minimum metric).
    5. Click on 'OK' to apply the settings.
    6. Save the changes: go to 'File' menu - click on 'Save'.
    7. Install policy onto all involved Security Gateways.

    The above and additional attributes ('on_demand_initial_script' and 'on_demand_shutdown_script') can be configured using the GuiDBedit Tool.

    Refer to VPN Administration Guide (R71, R75, R75.40, R75.40VS, R76, R77) - Chapter 'Link Selection' - On Demand Links (ODL).
  • Can I use Service-Based link selection to route only clear-text traffic, with no encryption?
    In some cases it is possible: first, it depends on the topology. Service-Based Link Selection can work only between two VPN gateways members in same VPN community. Service-Based Link Selection policy is applied only for VPN traffic between VPN domains of the gateways.
    To enable only clear-text links between the gateways (no encrypted link), ALL of the links between the VPN gateways should be configured as Trusted links (as described in this article), for the MPLS link. Setting purely trusted links between VPN gateways affects latency of the clear traffic for the following two reasons:
    1. Even though all links between the gateways are defined as trusted, IKE negotiation will still run before sending the traffic.
    2. SXL Accept templates will not be supported, increasing latency on the first packet of the connection.
  • How about interoperability with non Check Point VPN devices?
    Interoperability with non Check Point VPN gateways is not supported.
    RDP (probing) protocol is Check Point proprietary.
    Interoperable VPN devices generate VPN tunnels per interface, whereas in this solution the tunnel is generated between VPN peers regardless of the number of outgoing VPN interfaces and links deployed between the VPN gateways.
  • Is Route Based VPN supported?
    Yes. Only one VTI can be configured between a pair of VPN gateways, however if there are multiple physical links between the VPN gateways, then the link selection layer will perform the final rerouting of the VPN traffic via one of the physical interfaces, irrespective of the physical interface that is configured as the "proxy" interface for the VTI.
    Static routes or a dynamic routing protocol, such as OSPF, can then route traffic through the VTIs preconfigured towards other VPN peer gateways.
    There is no point in configuring a VTI interface to be a trusted interface as the traffic is not delivered on the VTI interface but rerouted on the physical interfaces by the link selection layer.
  • Can certain service's be load shared between few links?
    Yes. For example, consider the following 'vpn_service_based_routing.conf' file:

    SIP traffic will be load shared between eth1 and eth2 of each gateway

  • If a link goes down all of its related traffic will failover to the secondary link. Once the link is restored will all the related traffic return to the restored link?
    Only new connections will start via the restored link, old connections will stay on the secondary link.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment