https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-Load-sharing-exception-for-VPN-peer/m-p/177054#M32441 <P>No problem to use all three interfaces. If your local interface is only reachable via local routing not via the other ISPs it‘s no problem. But you have to configure properly the outgoing routing options and link probing.</P> Sun, 02 Apr 2023 19:26:03 GMT Wolfgang 2023-04-02T19:26:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-Load-sharing-exception-for-VPN-peer/m-p/177012#M32431 <P>we use star community pattern. there are 2 providers on central gateway and we want to enable ISP load sharing therefore we check "apply settings to vpn traffic" but there is a problem that one tunnel is built on gateway that's available on l2 channel (via local address on 3rd interface) without internet access. if we enable option i mentioned above then settings will affect link section and this vpn thus vpn tunnel(with local ip) will be built on gateways with internet access which leads to failure(vpn tunnel won't be built) is there any way to configure isp ls but make an exception for it?</P> Sun, 02 Apr 2023 11:14:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-Load-sharing-exception-for-VPN-peer/m-p/177012#M32431 Andrey_Gl 2023-04-02T11:14:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-Load-sharing-exception-for-VPN-peer/m-p/177021#M32434 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/53455">@Andrey_Gl</a>&nbsp;you can configure ISP redundancy without&nbsp;<SPAN>"apply settings to vpn traffic".</SPAN></P> <P><SPAN>With this setting the configuration for VPN link selection doesn‘t follow ISP redundancy configuration. You can configure VPN link selection with link probing to check which link is available.</SPAN></P> Mon, 03 Apr 2023 06:34:49 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-Load-sharing-exception-for-VPN-peer/m-p/177021#M32434 Wolfgang 2023-04-03T06:34:49Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-Load-sharing-exception-for-VPN-peer/m-p/177033#M32440 <P>Thank you.<SPAN>Yes, I see that option, but if I enable it, won't I need to select three addresses there - two provider addresses and one local address of another peer? Won't they interfere with each other? In our installation, there are 10 VPN peers available through two interfaces looking to the Internet, and one VPN peer is available through a local interface.</SPAN></P> Sun, 02 Apr 2023 18:54:57 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-Load-sharing-exception-for-VPN-peer/m-p/177033#M32440 Andrey_Gl 2023-04-02T18:54:57Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-Load-sharing-exception-for-VPN-peer/m-p/177054#M32441 <P>No problem to use all three interfaces. If your local interface is only reachable via local routing not via the other ISPs it‘s no problem. But you have to configure properly the outgoing routing options and link probing.</P> Sun, 02 Apr 2023 19:26:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-Load-sharing-exception-for-VPN-peer/m-p/177054#M32441 Wolfgang 2023-04-02T19:26:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-Load-sharing-exception-for-VPN-peer/m-p/177065#M32443 <P>Im fairly confident what&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/1447">@Wolfgang</a>&nbsp;suggested will work, as I had customer do this in the past and that was perfect option to make it work as intended.</P> Sun, 02 Apr 2023 22:23:21 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-Load-sharing-exception-for-VPN-peer/m-p/177065#M32443 the_rock 2023-04-02T22:23:21Z