https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Interoperable-IP-Duplicate-configuration/m-p/167078#M30161 <P>We have a requirement as below :</P><P>Currently, we have established IPSEC between Our Primary DC and One of the client's site firewalls and we are managing our Primary and DR DC checkpoint FW using the same Management server.</P><P>We must set up our DR center with the Same peer Gateway IP.&nbsp; what is the recommended method to configure interoperable configuration, is it okay to duplicate the interoperable device witch we use in Production GW Cluster and the same Duplicate Current VPN domain?&nbsp;</P><P>&nbsp;</P><P>Instead of using existing interoperable devices create another one in Documentation &amp; administration.&nbsp;</P><P>&nbsp;</P><P>Please advise are there any disadvantages create 2 interoperable device with same IP?&nbsp;</P><P>&nbsp;</P><P>Thank you,</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 09 Jan 2023 11:13:25 GMT Duminda_lakmal 2023-01-09T11:13:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Interoperable-IP-Duplicate-configuration/m-p/167078#M30161 <P>We have a requirement as below :</P><P>Currently, we have established IPSEC between Our Primary DC and One of the client's site firewalls and we are managing our Primary and DR DC checkpoint FW using the same Management server.</P><P>We must set up our DR center with the Same peer Gateway IP.&nbsp; what is the recommended method to configure interoperable configuration, is it okay to duplicate the interoperable device witch we use in Production GW Cluster and the same Duplicate Current VPN domain?&nbsp;</P><P>&nbsp;</P><P>Instead of using existing interoperable devices create another one in Documentation &amp; administration.&nbsp;</P><P>&nbsp;</P><P>Please advise are there any disadvantages create 2 interoperable device with same IP?&nbsp;</P><P>&nbsp;</P><P>Thank you,</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 09 Jan 2023 11:13:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Interoperable-IP-Duplicate-configuration/m-p/167078#M30161 Duminda_lakmal 2023-01-09T11:13:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Interoperable-IP-Duplicate-configuration/m-p/167106#M30182 <P>External IP should not be a issue however the SIC IP has to be different. By the way how the peer will differentiate and establish VPN with same peer&nbsp; IP? How will peer know which firewall to route the packet?</P><P>&nbsp;</P><P>What is the intention of this activity? I guess there are other ways to achieve the redundancy if you are planning for it then.</P> Mon, 09 Jan 2023 12:44:19 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Interoperable-IP-Duplicate-configuration/m-p/167106#M30182 Blason_R 2023-01-09T12:44:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Interoperable-IP-Duplicate-configuration/m-p/167156#M30198 <P>Hi.</P><P>Yes, our&nbsp;<SPAN>intention&nbsp;is High availability. Peer gateway ( I Mean Customer side Firewall).&nbsp;</SPAN></P><P><SPAN>On our Side, we have a separate policy package for Primary &amp; DR. currently we have one community with a production side cluster and Customer's side Firewall IP (Interoperable Device)</SPAN></P><P>we are going to create new VPN Community with mentioning DR Site CP Cluster and Client's side same Peer GW IP (Second interoperable Device - Duplicate as Primary side configures because peer GW and Domain same)</P><P>&nbsp;</P><P>Also, we are asking customer to create new community including our DR site and their Gateways.&nbsp;</P><P>(No Need automatic failover)</P><P>&nbsp;</P><P>***This is my Question We can use</P><P>1. only One interoperable device for both My side communities DR and Primary</P><P>2. Create Duplicate Interoperable same as Production site configures then apply new duplicated one for DR community configuration.&nbsp;</P><P>&nbsp;</P><P>Are there any limitation or misconfiguration when i duplicate Interoperable device in checkpoint environment?&nbsp;</P><P>I totally understand without duplicate we can do this, but this is for my understanding.&nbsp;</P><P>Kindly help me clarify this point.&nbsp;</P><P>Thank you,&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 09 Jan 2023 17:11:13 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Interoperable-IP-Duplicate-configuration/m-p/167156#M30198 Duminda_lakmal 2023-01-09T17:11:13Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Interoperable-IP-Duplicate-configuration/m-p/167158#M30200 <P>Nah - I dont think you will be able to do it on CheckPoint and yes Check Point wont be able to send a traffic if encryption_domains overlaps. You must think of something else; I have compiled vyos open source and then using it for all my site-site VPN configurations.</P> Mon, 09 Jan 2023 17:18:17 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Interoperable-IP-Duplicate-configuration/m-p/167158#M30200 Blason_R 2023-01-09T17:18:17Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Interoperable-IP-Duplicate-configuration/m-p/167159#M30201 <P>I agree with&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/1551">@Blason_R</a>&nbsp;. Its highly unlikely you can do this with CP side.</P> Mon, 09 Jan 2023 18:11:18 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Interoperable-IP-Duplicate-configuration/m-p/167159#M30201 the_rock 2023-01-09T18:11:18Z