https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSEC-VPN-gateway-traffic-selection/m-p/103124#M10083 <P>Hi Val,</P><P>&nbsp;</P><P>The CP&nbsp; GW version is R80.10.</P> Tue, 24 Nov 2020 10:48:31 GMT Dilev 2020-11-24T10:48:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSEC-VPN-gateway-traffic-selection/m-p/103093#M10081 <P>Hi,</P><P>&nbsp;</P><P>We are having an issue with a vpn setup where we have a Checkpoint FW with one ISP line connected to it and a remote site (Juniper srx) with 2 ISP lines connected to it. We have 2 Ikev1 IPSEC vpn tunnels between the two sites that coming up(permanent tunnels enabled).<BR />Our issue is that the traffic between the two sites seems to be going through both tunnels at the same time instead of one tunnel being the primary one and the second one acting as a backup/failover in case the primary tunnel goes down for any reason.</P><P>What is the mechanism Checkpoint uses to determine which of the two tunnels it is going to send the traffic through and how can we specify it?</P> Tue, 24 Nov 2020 08:42:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSEC-VPN-gateway-traffic-selection/m-p/103093#M10081 Dilev 2020-11-24T08:42:38Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSEC-VPN-gateway-traffic-selection/m-p/103123#M10082 <P>Version fo CP GW?</P> Tue, 24 Nov 2020 10:46:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSEC-VPN-gateway-traffic-selection/m-p/103123#M10082 _Val_ 2020-11-24T10:46:50Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSEC-VPN-gateway-traffic-selection/m-p/103124#M10083 <P>Hi Val,</P><P>&nbsp;</P><P>The CP&nbsp; GW version is R80.10.</P> Tue, 24 Nov 2020 10:48:31 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSEC-VPN-gateway-traffic-selection/m-p/103124#M10083 Dilev 2020-11-24T10:48:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSEC-VPN-gateway-traffic-selection/m-p/103129#M10084 <P><A href="https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_SitetoSiteVPN_AdminGuide/html_frameset.htm?topic=documents/R80.10/WebAdminGuides/EN/CP_R80.10_SitetoSiteVPN_AdminGuide/13924" target="_blank">https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_SitetoSiteVPN_AdminGuide/html_frameset.htm?topic=documents/R80.10/WebAdminGuides/EN/CP_R80.10_SitetoSiteVPN_AdminGuide/13924</A><BR /><BR />Look under "Link Selection with non-Check Point Devices" section.&nbsp;</P> <P>&nbsp;</P> <P>Which part initiates VPN tunnel, Juniper or CP? If Juniper, you should look there first.&nbsp;</P> Tue, 24 Nov 2020 11:03:54 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSEC-VPN-gateway-traffic-selection/m-p/103129#M10084 _Val_ 2020-11-24T11:03:54Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSEC-VPN-gateway-traffic-selection/m-p/104949#M10085 <P>Hi,</P><P>&nbsp;</P><P>We've tried the things suggested in the article, but we are still having issues with the traffic selection.</P><P>Currently, the traffic from the checkpoint is taking the backup tunnel to our SRX, instead of the primary one. How can we force it to use one tunnel over the other and switch to the second only if the traffic through the first one fails?</P> Thu, 10 Dec 2020 10:44:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSEC-VPN-gateway-traffic-selection/m-p/104949#M10085 Dilev 2020-12-10T10:44:32Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSEC-VPN-gateway-traffic-selection/m-p/104963#M10086 <P>I suggest using VTIs with a routing protcol over it.<BR /><BR />What is known as "Route based VPN"</P><P>&nbsp;</P><P><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk31012&amp;partition=Basic&amp;product=IPSec" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk31012&amp;partition=Basic&amp;product=IPSec</A></P><P>&nbsp;</P><P>Check IPsec VPN admin guide for your version.<BR /><BR />Also you can check config guides for AWS or azure as reference.</P> Thu, 10 Dec 2020 11:49:30 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSEC-VPN-gateway-traffic-selection/m-p/104963#M10086 Juan_ 2020-12-10T11:49:30Z