https://community.checkpoint.com/t5/Firewall-and-Security-Management/Change-current-critical-production-VPN-configuration-change-gt/m-p/160587#M28329 <P>If you have multiple external interfaces and uplinks and need 3rd party VPN to work with different uplinks (pre-shared key), then you need&nbsp;<SPAN>sk173048:</SPAN></P> <P>&nbsp;</P> <P><SPAN><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk173048&amp;partition=Advanced&amp;product=IPSec" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk173048&amp;partition=Advanced&amp;product=IPSec</A></SPAN></P> <P>&nbsp;</P> <P><SPAN>In Link Selection, the first option can remain at "Main Address". &nbsp;For Outgoing link, choose "based on routing decision". For "When responding..." option, choose "reply from same interface".</SPAN></P> <P>On the gateways, set static route to the external gateway out whichever interface link.</P> <P>Setting this registry does require a cpstop;cpstart. &nbsp;You can do it on one cluster member at a time, however, with no outage.</P> <P>&nbsp;</P> Thu, 27 Oct 2022 14:03:44 GMT Duane_Toler 2022-10-27T14:03:44Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Change-current-critical-production-VPN-configuration-change-gt/m-p/160201#M28216 <P>Hi,&nbsp;</P><P>Need clear understanding to change live critical VPN configuration.&nbsp;</P><P>My requirement is we have 28 Live VPNs on Checkpoint Gateway. with one ISP provider. link selection we have configured checkpoint cluster-related VIP on link selection in a select address on the topology table option.&nbsp;</P><P>Now we have a new requirement we have to create a new VPN tunnel using another ISP link (NEW), based on our configuration this will not work because the link will select based on our previous configuration (Link selection).&nbsp;</P><P>1. Does anyone have a clear idea of how can we change this without major downtimes?&nbsp;</P><P>2. How technically work " Calculate IP Based on network topology" in link selection options, do we need to enable ISP redundancy for this requirement?&nbsp;</P><P>&nbsp;</P><P>Thank you,</P><P>Duminda Lakmal.</P> Mon, 24 Oct 2022 04:28:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Change-current-critical-production-VPN-configuration-change-gt/m-p/160201#M28216 Duminda_lakmal 2022-10-24T04:28:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Change-current-critical-production-VPN-configuration-change-gt/m-p/160433#M28269 <P>An answer depends on many things. One VPN community or multiple? Can you have two ISP links up at the same time? Those 28 remote GWs, who is managing them?</P> Wed, 26 Oct 2022 09:48:40 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Change-current-critical-production-VPN-configuration-change-gt/m-p/160433#M28269 _Val_ 2022-10-26T09:48:40Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Change-current-critical-production-VPN-configuration-change-gt/m-p/160486#M28281 <P>ISP Redundancy is only needed if you are changing the default route for ALL traffic.<BR />If you're just routing traffic for a specific VPN out a specific interface to go out a different ISP, all that's really needed is static routes on the gateway for the relevant VPN subnets to point to the nexthop IP of the other ISP.</P> Wed, 26 Oct 2022 16:15:12 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Change-current-critical-production-VPN-configuration-change-gt/m-p/160486#M28281 PhoneBoy 2022-10-26T16:15:12Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Change-current-critical-production-VPN-configuration-change-gt/m-p/160487#M28282 <P>Keep in mind that even if you are using ISP redundancy, if one link fails, VPN tunnels will never get reestablished, as other end will never know about "new" external IP address.</P> <P><A href="https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_NextGenSecurityGateway_Guide/Topics-FWG/ISP-Redundancy-and-VPN.htm" target="_blank" rel="noopener">https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_NextGenSecurityGateway_Guide/Topics-FWG/ISP-Redundancy-and-VPN.htm</A></P> <P>Though based on what it says on top of that link, its not 100% clear, maybe someone else can confirm:</P> <TABLE class="TableStyle-TP_Table_Notes" cellspacing="0"> <TBODY> <TR class="TableStyle-TP_Table_Notes-Body-Body"> <TD class="TableStyle-TP_Table_Notes-BodyA-Column_Style_Text-Body"> <P><SPAN class="Note">Note</SPAN><SPAN>&nbsp;</SPAN>-<SPAN>&nbsp;</SPAN><SPAN class="mc-variable Vars_BladesFeatures.tp_ispr variable">ISP Redundancy</SPAN><SPAN>&nbsp;</SPAN>settings override the<SPAN>&nbsp;</SPAN><SPAN class="Menu_Options">VPN Link Selection</SPAN><SPAN>&nbsp;</SPAN>settings.</P> </TD> </TR> </TBODY> </TABLE> <P>When<SPAN>&nbsp;</SPAN><SPAN class="mc-variable Vars_BladesFeatures.tp_ispr variable">ISP Redundancy</SPAN><SPAN>&nbsp;</SPAN>is enabled, VPN encrypted connections survive a failure of an ISP link.</P> <P>The settings in the<SPAN>&nbsp;</SPAN><SPAN class="mc-variable Vars_BladesFeatures.tp_ispr variable">ISP Redundancy</SPAN><SPAN>&nbsp;</SPAN>page override settings in the<SPAN>&nbsp;</SPAN><SPAN class="Menu_Options"><SPAN class="mc-variable Vars_BladesFeatures.tp_ipsecvpn variable">IPsec VPN</SPAN><SPAN>&nbsp;</SPAN>&gt; Link Selection</SPAN><SPAN>&nbsp;</SPAN>page</P> Wed, 26 Oct 2022 17:30:08 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Change-current-critical-production-VPN-configuration-change-gt/m-p/160487#M28282 the_rock 2022-10-26T17:30:08Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Change-current-critical-production-VPN-configuration-change-gt/m-p/160520#M28312 <P>Hi Val, currently we have 28 communities, but we are not touching those communities. those will be running with an existing WAN link, without any changes, those remote peers not manage us.&nbsp;</P><P>We have a new ISP link it was not connected to the checkpoint yet. once this link configuration is clarified we are planning to lay cables and configurations. and we need to create a new VPN community by connecting mentioned new ISP WAN connection.&nbsp;</P><P>what will happen if we are creating a static route to mentioned new Peer GW through mentioned NEW IPS link (our default route will still remain and not impact current connections). and set the gateway configuration, &gt; link selection &gt; set -&nbsp;<SPAN>Calculate IP Based on network topology. what are the impact when we do this? kindly help me, </SPAN></P><P><SPAN>I cannot find the guide for like these configurations.&nbsp;&nbsp;</SPAN></P><P><SPAN>Thank you,</SPAN></P><P><SPAN>Duminda Lakmal</SPAN></P> Thu, 27 Oct 2022 04:29:48 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Change-current-critical-production-VPN-configuration-change-gt/m-p/160520#M28312 Duminda_lakmal 2022-10-27T04:29:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Change-current-critical-production-VPN-configuration-change-gt/m-p/160521#M28313 <P>Hi,&nbsp;</P><P>Thank you so much for the advice. kindly advise what happen we set the:&nbsp;<SPAN>gateway configuration, &gt; link selection &gt; set -&nbsp;</SPAN><SPAN>Calculate IP Based on network topology options with static routes?&nbsp;</SPAN></P> Thu, 27 Oct 2022 04:32:35 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Change-current-critical-production-VPN-configuration-change-gt/m-p/160521#M28313 Duminda_lakmal 2022-10-27T04:32:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Change-current-critical-production-VPN-configuration-change-gt/m-p/160587#M28329 <P>If you have multiple external interfaces and uplinks and need 3rd party VPN to work with different uplinks (pre-shared key), then you need&nbsp;<SPAN>sk173048:</SPAN></P> <P>&nbsp;</P> <P><SPAN><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk173048&amp;partition=Advanced&amp;product=IPSec" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk173048&amp;partition=Advanced&amp;product=IPSec</A></SPAN></P> <P>&nbsp;</P> <P><SPAN>In Link Selection, the first option can remain at "Main Address". &nbsp;For Outgoing link, choose "based on routing decision". For "When responding..." option, choose "reply from same interface".</SPAN></P> <P>On the gateways, set static route to the external gateway out whichever interface link.</P> <P>Setting this registry does require a cpstop;cpstart. &nbsp;You can do it on one cluster member at a time, however, with no outage.</P> <P>&nbsp;</P> Thu, 27 Oct 2022 14:03:44 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Change-current-critical-production-VPN-configuration-change-gt/m-p/160587#M28329 Duane_Toler 2022-10-27T14:03:44Z