https://community.checkpoint.com/t5/Firewall-and-Security-Management/VTI-interface-with-Cluster-XL/m-p/129144#M26473 <P>Yes sir! So, say fw1 has VTI with IP 169.254.0.10 and fw2 is 169.254.0.11 and VIP is .12 and remote is say 169.254.0.15 (just making that up, but you get the idea, right?). MAKE SURE the peer name when creating vti interface&nbsp; is exactly the same as interoperable object name, otherwise topology will fail.</P> Fri, 10 Sep 2021 19:34:16 GMT the_rock 2021-09-10T19:34:16Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VTI-interface-with-Cluster-XL/m-p/129100#M26470 <P>Hi,</P><P>Based on the R80.30 VPN admin Guide, when doing Route Based VPN with clustered gateways, we need to assign one VTI IP address for each member and one VTI IP adddress for the cluster VIP .</P><P><A href="https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_SitetoSiteVPN_AdminGuide/html_frameset.htm?topic=documents/R80.30/WebAdminGuides/EN/CP_R80.30_SitetoSiteVPN_AdminGuide/13824&amp;anchor=o14011" target="_blank" rel="noopener">https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_SitetoSiteVPN_AdminGuide/html_frameset.htm?topic=documents/R80.30/WebAdminGuides/EN/CP_R80.30_SitetoSiteVPN_AdminGuide/13824&amp;anchor=o14011</A></P><P>Most of the time when doing Route Based VPN we get /30 or /31 subnet mask to have point to point with the peer.</P><P>- Does it mean that the IP for each member can be "dummy" interface that have nothing to do with the Cluster IP?</P><P>- Or should I get an IP in the same range for every VTI interface (Peer GW, member1, member2, and cluster)?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="vti.png" style="width: 900px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/13662i59662FFE101D489A/image-size/large?v=v2&amp;px=999" role="button" title="vti.png" alt="vti.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Thank you for your help</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 10 Sep 2021 08:47:15 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VTI-interface-with-Cluster-XL/m-p/129100#M26470 DR_74 2021-09-10T08:47:15Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VTI-interface-with-Cluster-XL/m-p/129124#M26471 <P>I can confirm this, and Im 100% positive (no doubt in my mind at all) that everyone I ever worked with and configured this for, we always used IPs from 169.254.x.x subnet and it worked perfectly fine.</P> <P>As a matter of fact, you can refer to below article referencing that.</P> <P><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk100726" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk100726</A></P> <P>BUT, this is really important...MAKE SURE that when adding routes for this, that default gateway is the actual remote VTI interface IP address, otherwise it wont work.</P> <P>&nbsp;</P> <P>Ping me privately if you have issues, I have some guides for this as well. I cant share them with you, but I could show you some screenshots.</P> <P>&nbsp;</P> Fri, 10 Sep 2021 16:54:55 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VTI-interface-with-Cluster-XL/m-p/129124#M26471 the_rock 2021-09-10T16:54:55Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VTI-interface-with-Cluster-XL/m-p/129140#M26472 <P>Hello</P><P>Thank you for your message</P><P>Just to clarify in our case we have the VTI address for the cluster that looks like 169.254.254.2. The remote peer has 169.254.254.1.</P><P>So can I use another 169.254.254.3 and .4 for both members ?&nbsp;</P><P>Or even something that has nothing to do with the VIP address eg 1.1.1.1 and 1.1.1.2</P> Fri, 10 Sep 2021 18:39:31 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VTI-interface-with-Cluster-XL/m-p/129140#M26472 DR_74 2021-09-10T18:39:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VTI-interface-with-Cluster-XL/m-p/129144#M26473 <P>Yes sir! So, say fw1 has VTI with IP 169.254.0.10 and fw2 is 169.254.0.11 and VIP is .12 and remote is say 169.254.0.15 (just making that up, but you get the idea, right?). MAKE SURE the peer name when creating vti interface&nbsp; is exactly the same as interoperable object name, otherwise topology will fail.</P> Fri, 10 Sep 2021 19:34:16 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VTI-interface-with-Cluster-XL/m-p/129144#M26473 the_rock 2021-09-10T19:34:16Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VTI-interface-with-Cluster-XL/m-p/154693#M26474 <P>I found this very useful, thanks!</P> Mon, 08 Aug 2022 03:01:29 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VTI-interface-with-Cluster-XL/m-p/154693#M26474 AK2 2022-08-08T03:01:29Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VTI-interface-with-Cluster-XL/m-p/154694#M26475 <P>Thanks for asking this question, I had the same one&nbsp;<span class="lia-unicode-emoji" title=":grinning_face:">😀</span><span class="lia-unicode-emoji" title=":handshake:">🤝</span></P> Mon, 08 Aug 2022 03:03:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VTI-interface-with-Cluster-XL/m-p/154694#M26475 AK2 2022-08-08T03:03:38Z