https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-redundancy-with-third-party-devices/m-p/166871#M30061 <P>Reality is,&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/1551">@Blason_R</a>&nbsp;is 100% correct. Truth is, making this work with CP is not so easy. MEP sounds like your best bet, because without it, CP will never know how to choose the right 3rd party device in case of failure.</P> Fri, 06 Jan 2023 04:24:28 GMT the_rock 2023-01-06T04:24:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-redundancy-with-third-party-devices/m-p/166852#M30052 <P>Hi Guys,</P><P>I have found some ideas how to configure VPN redundancy with third party device (Cisco routers in my case), but some parts are not clear for me. I have one community with about ten devices (Cisco) and hub - checkpoint, everything works fine. I need to create redundancy for couple of sites, they have two ISPs. On Cisco side i am going to create two tunnels and use EMM with SLA or dynamic routing (but not sure about that, in this case i need to configure it on Checkpoint side too).</P><P>CheckPoint side, bunch of questions...&nbsp; Looks like i have to create more Interoperable devices and add them to Community, but in this case how CheckPoint will choose them? and how will it know about primary channel outage? etc</P><P>Please advise</P><P>thanks&nbsp;</P> Thu, 05 Jan 2023 22:07:58 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-redundancy-with-third-party-devices/m-p/166852#M30052 Sergo89 2023-01-05T22:07:58Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-redundancy-with-third-party-devices/m-p/166855#M30053 <P>Probably the best way to do it with third party devices is with VTIs and Dead Peer Detection.</P> Thu, 05 Jan 2023 23:24:47 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-redundancy-with-third-party-devices/m-p/166855#M30053 PhoneBoy 2023-01-05T23:24:47Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-redundancy-with-third-party-devices/m-p/166858#M30054 <P>thanks. How it should like from checkpoint side? Another community special for one site with two devices? how to change routing?</P> Fri, 06 Jan 2023 00:21:35 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-redundancy-with-third-party-devices/m-p/166858#M30054 Sergo89 2023-01-06T00:21:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-redundancy-with-third-party-devices/m-p/166864#M30055 <P>Unfortunately this is a challenge and limitation I faced since beginning and AFAIK this is definitely not possible with checkpoint. Hence I started using different topology or devices like vyos or other routers for VPN IPsec.</P><P>Even you configure VTI - VTI is based on Ipsec and you need to have IPsec setup first since CheckPoint listens on only one interface this creates an issue. May be you could try MEP feature</P> Fri, 06 Jan 2023 02:08:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-redundancy-with-third-party-devices/m-p/166864#M30055 Blason_R 2023-01-06T02:08:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-redundancy-with-third-party-devices/m-p/166871#M30061 <P>Reality is,&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/1551">@Blason_R</a>&nbsp;is 100% correct. Truth is, making this work with CP is not so easy. MEP sounds like your best bet, because without it, CP will never know how to choose the right 3rd party device in case of failure.</P> Fri, 06 Jan 2023 04:24:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-redundancy-with-third-party-devices/m-p/166871#M30061 the_rock 2023-01-06T04:24:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-redundancy-with-third-party-devices/m-p/166874#M30064 <P>Thanks guys!</P> Fri, 06 Jan 2023 04:27:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-redundancy-with-third-party-devices/m-p/166874#M30064 Sergo89 2023-01-06T04:27:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-redundancy-with-third-party-devices/m-p/166876#M30066 <P>For the reference:</P> <P><A href="https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/Topics-VPNSG/MEP.htm" target="_blank">https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/Topics-VPNSG/MEP.htm</A></P> <P>Andy</P> Fri, 06 Jan 2023 04:29:57 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-redundancy-with-third-party-devices/m-p/166876#M30066 the_rock 2023-01-06T04:29:57Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-redundancy-with-third-party-devices/m-p/166936#M30098 <P>It’s a lot more complicated than that since you might need to redo the entire configuration as VTIs instead of using domain based VPN as mixing the two creates its own issue.<BR />MEP might also work as well as others have suggested (but make sure that DPD is configured since that’s required for third party VPN endpoints).</P> Fri, 06 Jan 2023 14:20:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-redundancy-with-third-party-devices/m-p/166936#M30098 PhoneBoy 2023-01-06T14:20:59Z