https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-tunnels-S2S-and-remote-access-using-IPSec-VPN-Link-Selection/m-p/184693#M33931 <P>Your main ip address is a private ip or a public one? It is the IP configured on remote peers side?</P> Sat, 24 Jun 2023 07:27:44 GMT CheckPointerXL 2023-06-24T07:27:44Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-tunnels-S2S-and-remote-access-using-IPSec-VPN-Link-Selection/m-p/184269#M33861 <P><SPAN>we already have a working CP cluster VPN tunnels S2S and remote access using&nbsp;&nbsp;IPSec VPN - Link Selection (Alway use this ip adress --- the 1er ISP public ip address, that is used as the a static NAT on Peplink load balancer).</SPAN></P><P>Now we are trying to implement a new VPN tunnels on the second link (ISP2) while ensuring the continuity of existing tunnels over ISP1.</P><P>Our primary goal is to incorporate the new VPN tunnels on ISP2 while keeping the existing tunnels on ISP1 operational. We should focus on maintaining connectivity and ensuring a smooth transition to use&nbsp; the both links ISP1 for the existing tunnels and ISP2 for the new ones .</P><P>we already tied a ISP redundancy that goes to failure, we even created support tickets with Checkpoint support, the last one is "<SPAN>6-0003628640"</SPAN> with no success .</P><P>This is very challenging for us since the customer was happy with the solution till this issue raises and other technologies like Fortigate and Palo Alto are arround.</P><P>any suggestion or workarround from you checkpoint gurus that can help will be appreciated.</P><P>Thanks&nbsp;</P> Mon, 19 Jun 2023 09:59:19 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-tunnels-S2S-and-remote-access-using-IPSec-VPN-Link-Selection/m-p/184269#M33861 abdelmajid_lakb 2023-06-19T09:59:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-tunnels-S2S-and-remote-access-using-IPSec-VPN-Link-Selection/m-p/184281#M33862 <P>Hello,</P><P>Your S2S tunnels, are these with Check Point devices managed by the same SMS, or with 3th party devices ?</P><P>If it is a 3th party, this device will not know about the link selection for remote peers (Always use this address, statically NATed IP ) and can use your ISP2 IP address. You will have to put a host route to ISP2 for the public IP of the new S2S VPN.</P><P>For Check Point managed devices, ISP redundancy should be able to failover the VPN to ISP2 if there is a failure, but I don't think it is possible to point al new peers to ISP2 while all others have ISP1. ( Maybe changing the ISP redundancy settings and only pushing them to the new peers will work, but not optimal ).&nbsp;</P><P>What issues did you get with ISP redundancy ? ( we also got a lot of issues, but is is a bit stable now, only drops once a week )</P><P>Maybe Check Point SDWAN is a solution for you ?</P> Mon, 19 Jun 2023 14:52:08 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-tunnels-S2S-and-remote-access-using-IPSec-VPN-Link-Selection/m-p/184281#M33862 K_R_V 2023-06-19T14:52:08Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-tunnels-S2S-and-remote-access-using-IPSec-VPN-Link-Selection/m-p/184693#M33931 <P>Your main ip address is a private ip or a public one? It is the IP configured on remote peers side?</P> Sat, 24 Jun 2023 07:27:44 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-tunnels-S2S-and-remote-access-using-IPSec-VPN-Link-Selection/m-p/184693#M33931 CheckPointerXL 2023-06-24T07:27:44Z