https://community.checkpoint.com/t5/Firewall-and-Security-Management/Route-Based-VPN-Tunnel-on-VSX-Virtual-System/m-p/259640#M50921 <P>SmartConsole won't allow you to configure it under classic VSX per sk79700.</P> <P>"Multiple Static Routes with different priorities to the same destination"</P> Fri, 10 Oct 2025 12:39:30 GMT Chris_Atkinson 2025-10-10T12:39:30Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Route-Based-VPN-Tunnel-on-VSX-Virtual-System/m-p/259634#M50917 <P>Hi Team,</P><P>We want to configure a route-based VPN tunnel. Below are the environment details:</P><P>* Local Gateway- checkpoint Virtual System Firewall&nbsp;</P><P>* Peer gateways:</P><P>&nbsp; &nbsp; &nbsp; Site-A: Third party Firewall</P><P>&nbsp; &nbsp; &nbsp; Site-B: Third party Firewall</P><P>&nbsp;</P><P>* Peer Encryption Domain: common (172.16.1.0/24), behind both location's Firewalls.</P><P>* Routing on Local Gateway: Static</P><P>&nbsp;</P><P>As peer encryption domain is common (172.16.1.0/24) which is to be access from our side through the IPSec.</P><P>&nbsp;We are planning to implement route-based VPN with both the locations, so that if primary tunnel with Site-A goes down then same Sunbnet_172.16.1.0/24 should be accessible through Site-B's tunnels.</P><P>We want to use static routing for this route-based VPN setup.</P><P>But we are not able to find route minoring option for VTY interface, as in standard environment (without vsx) we can enable next hop monitoring while configure the static route.</P><P>So, looking a solution for tunnel failover with static routing</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 10 Oct 2025 11:37:39 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Route-Based-VPN-Tunnel-on-VSX-Virtual-System/m-p/259634#M50917 VishnuK 2025-10-10T11:37:39Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Route-Based-VPN-Tunnel-on-VSX-Virtual-System/m-p/259635#M50918 <P>To my knowledge route based VPNs for VSX are only supported with dynamic routing e.g. BGP.</P> Fri, 10 Oct 2025 11:55:35 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Route-Based-VPN-Tunnel-on-VSX-Virtual-System/m-p/259635#M50918 Chris_Atkinson 2025-10-10T11:55:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Route-Based-VPN-Tunnel-on-VSX-Virtual-System/m-p/259636#M50919 <P>you need dynamic routing for this like bgp&nbsp;</P> <OL class="IaGLZe VimKh" data-processed="true"> <LI data-hveid="CAMQAg" data-processed="true"><SPAN class="T286Pc" data-sfc-cp="" data-processed="true"><STRONG class="Yjhzub" data-processed="true">Dynamic Routing:</STRONG><SPAN>&nbsp;</SPAN>This infrastructure enables dynamic routing protocols (like OSPF or BGP) to exchange routing information directly with a routing daemon on the other end of the tunnel, making it appear as a single hop.</SPAN></LI> </OL> <P><SPAN class="T286Pc" data-sfc-cp="" data-processed="true">Check also policy based routing, is now also supported on vsx</SPAN></P> <P><SPAN class="T286Pc" data-sfc-cp="" data-processed="true"><A href="https://support.checkpoint.com/results/sk/sk167135" target="_blank">https://support.checkpoint.com/results/sk/sk167135</A></SPAN></P> Fri, 10 Oct 2025 11:57:31 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Route-Based-VPN-Tunnel-on-VSX-Virtual-System/m-p/259636#M50919 Lesley 2025-10-10T11:57:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Route-Based-VPN-Tunnel-on-VSX-Virtual-System/m-p/259639#M50920 <P>1. Does it mean we can't achieve it, using route monitoring with Static routing?</P><P>2. PBR can be used into this case for tunnel failover?</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 10 Oct 2025 12:32:48 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Route-Based-VPN-Tunnel-on-VSX-Virtual-System/m-p/259639#M50920 VishnuK 2025-10-10T12:32:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Route-Based-VPN-Tunnel-on-VSX-Virtual-System/m-p/259640#M50921 <P>SmartConsole won't allow you to configure it under classic VSX per sk79700.</P> <P>"Multiple Static Routes with different priorities to the same destination"</P> Fri, 10 Oct 2025 12:39:30 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Route-Based-VPN-Tunnel-on-VSX-Virtual-System/m-p/259640#M50921 Chris_Atkinson 2025-10-10T12:39:30Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Route-Based-VPN-Tunnel-on-VSX-Virtual-System/m-p/259644#M50922 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/106357">@VishnuK</a>&nbsp;what do you want to achieve? You need redundancy for your VPN ? Why route based VPN?&nbsp;<BR />I believe you can use the domain based VPN with two third party gateways at the remote site. Redundancy via MEP (MultipleEntryPoint) and using DPD (DeadPeerDetection) to probe the remote gateways availability.&nbsp;<BR /><A href="https://support.checkpoint.com/results/sk/sk108600" target="_blank">https://support.checkpoint.com/results/sk/sk10860</A><SPAN>&nbsp; &nbsp;scenario 8</SPAN></P> Fri, 10 Oct 2025 12:53:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Route-Based-VPN-Tunnel-on-VSX-Virtual-System/m-p/259644#M50922 Wolfgang 2025-10-10T12:53:32Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Route-Based-VPN-Tunnel-on-VSX-Virtual-System/m-p/259766#M50940 <P>Hi Wolfgang,</P><P>Yes, we want we need redundancy for IPSec.&nbsp; MEP is applicable here? I am suspecting that, considering below points:</P><P>* We have the control of Local firewall only</P><P>* Traffic direction is outbound (Local to 3rd Party)</P><P>* Peer Firewalls are not checkpoint.</P><P>As per my understanding MEP can be configured only for incoming traffic. Please correct me, if i am wrong.</P><DIV class="">&nbsp;</DIV><P>&nbsp;</P> Mon, 13 Oct 2025 09:41:13 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Route-Based-VPN-Tunnel-on-VSX-Virtual-System/m-p/259766#M50940 VishnuK 2025-10-13T09:41:13Z