topic Re: Config VPN 2S2 with 2 Public IPs to 2 different sites in Firewall and Security Management

Config VPN 2S2 with 2 Public IPs to 2 different sites

MarcuzShinz — Wed, 24 May 2023 03:04:45 GMT

Hi guy!,

Currently, i am having a problem with configuring 2S2 VPN on checkpoint. Specifically we have 2 VPN lines to 2 different sites

Now the ftth lines are plugged into Peplink and we have a connection between Peplink and Checkpoint.

Currently we have preconfigured an s2s to 1 Site. In the link selection we choose select Statically NATed IP and this tunnel is running very stable.

To be able to further configure the 2nd Tunnel, how should we choose link selection?

Has anyone come across this situation?

Re: Config VPN 2S2 with 2 Public IPs to 2 different sites

PhoneBoy — Wed, 24 May 2023 20:34:02 GMT

It's not clear what you're trying to do here.
Can you elaborate more about the current and desired state?
More specifically:

Version/JHF of the Check Point device
What device is the Check Point terminating a VPN to?
What kind of VPN is being set up here? Route based? Domain based? If domain based, what is the remote encryption domain?
Is your goal to establish two VPN tunnels to the same device or are you trying to establish a VPN to a different device?

The more details you can provide, the better.

Re: Config VPN 2S2 with 2 Public IPs to 2 different sites

MarcuzShinz — Thu, 25 May 2023 02:14:16 GMT

Hi @PhoneBoy , thanks for your response,

1. I have 2 devices Checkpoint Gateway version R81.10/HF take 94.

2. The remote peer is a 3rd party device but I don't know which provider it is.

3. The VPN set up here is the:

In the IP Selection by Remote Peer,

we choose "Statically Nated IP" We enter the Public IP in this section, because our checkpoint device is behind the Peplink device, and Peplink plays the role of NAT data output.

In the Outgoing Route Selection,

we choose "Operating system routing table"

4. As I described, we have 2 tunnels that need to be set up to 2 different sites. We have now configured a tunnel to a site according to the configuration shown in the attached figure.

The problem we are facing is how to configure one more tunnel. While in the "Statically Nated IP" section, only one Public IP is allowed.

Re: Config VPN 2S2 with 2 Public IPs to 2 different sites

PhoneBoy — Thu, 25 May 2023 20:22:45 GMT

Unfortunately, you cannot configure a different Link Selection IP for a different VPN peer directly; this is currently an RFE.
The only way to use a different IP for a different VPN peer is to route the traffic out a different physical interface and configure Link Selection accordingly.