topic Re: Route Based VPN (VTI) through Secondary ISP on Load Sharing Firewalls in Firewall and Security Management

Route Based VPN (VTI) through Secondary ISP on Load Sharing Firewalls

Sbolton — Mon, 13 Oct 2025 21:46:44 GMT

I have a customer who has an HA pair set to Load-Sharing mode and is on R81.20. A VTI configuration with a third-party that is utilizing Ubiquiti devices. The firewalls are set as Load-Sharing in ISP Redundancy with the VPN check box cleared. The customer wishes to know the following.

How do they configure their route-based VPN to specifically use the secondary ISP connection? Their primary ISP has been having port flapping issues which is affecting the connection from the remote location's device to their network. Hence why they wish to do this. Any recommendations or things I should look out for? Any information would be appreciated.

Thank you

Re: Route Based VPN (VTI) through Secondary ISP on Load Sharing Firewalls

the_rock — Mon, 13 Oct 2025 23:46:29 GMT

Sounds like they need to make sure secondary ISP link works right. If 1st fails, does other one take over?

Andy

Re: Route Based VPN (VTI) through Secondary ISP on Load Sharing Firewalls

Chris_Atkinson — Tue, 14 Oct 2025 00:50:46 GMT

How is your "link selection" configured currently, believe there were some enhancements with this under R82 per:

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_SitetoSiteVPN_AdminGuide/Content/Topics-VPNSG/Link-Selection-Enhanced.htm

Re: Route Based VPN (VTI) through Secondary ISP on Load Sharing Firewalls

Sbolton — Wed, 15 Oct 2025 13:04:10 GMT

The issue seems to be a hop along the path through one ISP compared to the other. It's pretty consistent, so they want to make the secondary connection the primary JUST for this vpn tunnel.

Re: Route Based VPN (VTI) through Secondary ISP on Load Sharing Firewalls

Sbolton — Wed, 15 Oct 2025 13:05:33 GMT

You're right, that R82 enhanced link section is exactly what we would need for this too. I'll bring this up to the customer as they weren't planning on moving to R82 until December. I'll send this over to them to review. Thank you!

Re: Route Based VPN (VTI) through Secondary ISP on Load Sharing Firewalls

Duane_Toler — Wed, 15 Oct 2025 13:37:20 GMT

Until you go to R82, for R80.20 and higher, you can use the BestRoutingSenderIP config as noted in sk108600, Scenario 2. Since R80.30, IKEv2 is also supported:

https://support.checkpoint.com/results/sk/sk108600

I use this regularly for several customers with multiple upstream next-hops. You'll need a static route on the gateway for the remote peer to exit the interface you want towards the desired next hop.

After this is set, the IKE ID for 3rd party VPN and PSK will adjust accordingly.

Re: Route Based VPN (VTI) through Secondary ISP on Load Sharing Firewalls

the_rock — Wed, 15 Oct 2025 15:14:42 GMT

Yep, that does work, used it before.

Andy

Re: Route Based VPN (VTI) through Secondary ISP on Load Sharing Firewalls

Sbolton — Wed, 15 Oct 2025 15:18:11 GMT

Would these changes revert after an upgrade to R82?

Re: Route Based VPN (VTI) through Secondary ISP on Load Sharing Firewalls

Duane_Toler — Wed, 15 Oct 2025 18:43:14 GMT

The changes are in the HKLM_registry.data file, which would not be carried over for upgrades (in-place or otherwise). They will remain in place for Jumbo HFA updates, however.

Re: Route Based VPN (VTI) through Secondary ISP on Load Sharing Firewalls

the_rock — Thu, 16 Oct 2025 06:07:17 GMT

I would definitely back up the file, but @Duane_Toler is absolutely correct.