https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-peer-in-multiple-VPN-Communities/m-p/158563#M27656 <P>Yes, it does make sense, but please make sure you figure out routing in the process. I would start in a lab first</P> Sat, 01 Oct 2022 09:14:52 GMT _Val_ 2022-10-01T09:14:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-peer-in-multiple-VPN-Communities/m-p/158550#M27655 <P>Hi,</P><P>I'm using R81.10 with a number of domain-based S2S VPNs but am starting to get a number of requests for route-based VPNs. Normally that's fine for new peers but I have one request to switch a VPN from domain-based to route-based and am wanting to know if I can make roll-back easy by not having to dismantle any of the existing VPN.</P><P>So, here's the situation.</P><P>I have an existing interoperable device, call it vpn_ABC that is used as a satellite gateway in a domain-based community, call it Domain_Community.</P><P>The peer's owner wants to switch to route-based VPN but using the same peer (vpn_ABC).</P><P>If I create a new community, say Routed_Community, can I use the same centre gateway and same satellite gateway in that community but manually change the VPN domains for those gateways within this new community to be an empty group which I have created for route-based VPNs. In other words I'd end up with this:</P><P>Domain_Community (not used in any rules)</P><UL><LI>centre gateway = my_cluster with VPN domain = VPN_Domain (object group with multiple networks)</LI><LI>satellite gateway = vpn_ABC with VPN domain = ABC_Domain (object group with multiple networks)</LI></UL><P>Routed_Community (used in a rule)</P><UL><LI>centre gateway = my_cluster with VPN domain, manually set in the community = Empty_Group</LI><LI>satellite gateway = vpn_ABC with VPN domain, manually set in the community = Empty_Group</LI></UL><P>Will such a setup even work? Will my_cluster know to use the route-based VPN instead of the domain-based VPN?</P><P>Does any of that make sense?</P><P>&nbsp;</P><P>Colin</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 30 Sep 2022 22:26:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-peer-in-multiple-VPN-Communities/m-p/158550#M27655 Colin_Campbell1 2022-09-30T22:26:38Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-peer-in-multiple-VPN-Communities/m-p/158563#M27656 <P>Yes, it does make sense, but please make sure you figure out routing in the process. I would start in a lab first</P> Sat, 01 Oct 2022 09:14:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-peer-in-multiple-VPN-Communities/m-p/158563#M27656 _Val_ 2022-10-01T09:14:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-peer-in-multiple-VPN-Communities/m-p/158860#M27756 <P>HI,</P><P>&nbsp;</P><P>Got the answer this morning when I installed policy which failed verification: "Please note that a pair of objects can appear only in one intranet community at most."</P><P>Colin</P> Wed, 05 Oct 2022 21:43:41 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-peer-in-multiple-VPN-Communities/m-p/158860#M27756 Colin_Campbell1 2022-10-05T21:43:41Z