https://community.checkpoint.com/t5/Firewall-and-Security-Management/Redundancy-VPN-S2S/m-p/199866#M37481 <P>Good morning</P><P>I would like a suggestion on how to perform site-to-site VPN redundancy between a checkpoint and fortigate. Both sides have two ISP links, and both must communicate cross-formation in case of failure of the main ISP</P><P>Example image attached</P><P>&nbsp;</P> Wed, 06 Dec 2023 14:19:12 GMT Icaro_IT 2023-12-06T14:19:12Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Redundancy-VPN-S2S/m-p/199866#M37481 <P>Good morning</P><P>I would like a suggestion on how to perform site-to-site VPN redundancy between a checkpoint and fortigate. Both sides have two ISP links, and both must communicate cross-formation in case of failure of the main ISP</P><P>Example image attached</P><P>&nbsp;</P> Wed, 06 Dec 2023 14:19:12 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Redundancy-VPN-S2S/m-p/199866#M37481 Icaro_IT 2023-12-06T14:19:12Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Redundancy-VPN-S2S/m-p/199881#M37485 <P>I am interested in this topic too.</P> Wed, 06 Dec 2023 15:50:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Redundancy-VPN-S2S/m-p/199881#M37485 starmen2000 2023-12-06T15:50:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Redundancy-VPN-S2S/m-p/199883#M37486 <P>I will ask one of my colleagues about Fortigate part, but I can tell you this about CP part. Even if you have ISP redundancy enabled, primary isp link failure will NOT automatically guarantee that VPN tunnel will simply continue to work, as Fortigate would never be aware of new IP address.</P> <P>Andy</P> Wed, 06 Dec 2023 15:53:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Redundancy-VPN-S2S/m-p/199883#M37486 the_rock 2023-12-06T15:53:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Redundancy-VPN-S2S/m-p/199885#M37488 <P>both sides know the IP of both ISP</P> Wed, 06 Dec 2023 16:00:23 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Redundancy-VPN-S2S/m-p/199885#M37488 Icaro_IT 2023-12-06T16:00:23Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Redundancy-VPN-S2S/m-p/199886#M37489 <P>If both ends know about the IPs of both links, then I dont see why it would not work, since in that case, if there is ever a failure, 2nd link would be able to establish a tunnel.</P> <P>Andy</P> Wed, 06 Dec 2023 16:02:27 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Redundancy-VPN-S2S/m-p/199886#M37489 the_rock 2023-12-06T16:02:27Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Redundancy-VPN-S2S/m-p/199887#M37490 <P>right, but what is the best way to do this at the checkpoint? based on static route, mode redundancy probe (CP feature), BGP... or just add a start community with two satellites referencing the fortigate side</P> Wed, 06 Dec 2023 16:11:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Redundancy-VPN-S2S/m-p/199887#M37490 Icaro_IT 2023-12-06T16:11:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Redundancy-VPN-S2S/m-p/199888#M37491 <P>There way smarter people than I on this forum, so Im sure they will chime in, but logically, I would say 2 satellites for FGT end. Not sure BGP would really make much difference here, as you are not doing say xpress route/VPN failover with Azure (just an example)</P> <P>Andy</P> Wed, 06 Dec 2023 16:15:41 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Redundancy-VPN-S2S/m-p/199888#M37491 the_rock 2023-12-06T16:15:41Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Redundancy-VPN-S2S/m-p/200111#M37528 <P>Route based with static route+priority+ping reachability or bgp+ smaller/bigger announcement (for example announce 192.168.0.0/24 for backup link and announce 192.168.0.0/25 and 192.168.0.128/25 for primary link). Other tips for bgp could be MED or AS-PATH-Prepend.</P> <P>You can configure two communities or one with two FGT satellites.</P> <P>Make sure ISP redundancy is applied for vpn too</P> Sat, 09 Dec 2023 14:29:41 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Redundancy-VPN-S2S/m-p/200111#M37528 CheckPointerXL 2023-12-09T14:29:41Z