topic Re: About site-to-site VPN outgoing route selection in Firewall and Security Management

About site-to-site VPN outgoing route selection

Steven_Sultana — Wed, 17 Dec 2025 21:11:15 GMT

This is more of an academic question, rather than me having an issue I would like to solve.

There are 2 interesting settings in the "outgoing route selection" section of the "IPSec VPN > Link Selection" panel:

1. Setup: When responding to a remotely initiated tunnel, determine the outgoing interfacing using:

1.a. Use outgoing traffic configuration

1.b. Reply from the same interface

2. Source IP address settings: When initiating a tunnel user the following IP address as the source IP of outgoing packets:

2.a. Automatic (derived from method of IP selection be remote peer)

2.b. Selected address from topology table

2.c. IP address of chosen interface

In my opinion, the answer to these questions should always be 1.b. (it's always polite to face the person you are speaking to 😅) and 2.c. (or else the next hop might drop your packets, since the packets do not belong to the next-hop network).

Is my assumption wrong?

What are the scenarios when these configurations are counter-productive?

Re: About site-to-site VPN outgoing route selection

Vincent_Bacher — Wed, 17 Dec 2025 21:47:11 GMT

What’s about use cases like multiple external interfaces, using SD-WAN or pbr? Does the assumption still apply on all ?

Perhaps someone has the time and inclination to run through the scenarios; I have to go to bed. Two more working days, then it's holiday time.

Re: About site-to-site VPN outgoing route selection

Steven_Sultana — Wed, 17 Dec 2025 21:59:59 GMT

Holiday time is when these weird questions come to my mind!

But good point - main use case is multiple external interfaces, probably with multiple 3rd party (or tbf even managed CP) gateways which may need to connect to different external interfaces for a variety of reasons.

Re: About site-to-site VPN outgoing route selection

the_rock — Thu, 18 Dec 2025 00:55:58 GMT

I just checked one of our clients that uses ISPR and the setting is set to link redundancy mode-> HA, then you choose main link.

This is what help section indicates:

Outgoing Route Selection
◦When Initiating a Tunnel ◾Operating system routing table - Using this method, the routing table is consulted for the link with the lowest metric (highest priority) to send traffic.
◾Route based probing - This method also consults the routing table for the link with the lowest metric. However, before choosing a link to send traffic, all routing possibilities are examined to check that the link is active. The gateway then selects the best match (highest prefix length) active route with the lowest metric, and hence the highest priority. This method is recommended when there is more than one external interface.

Automatic (derived from the method of IP selection by remote peer) - The source IP address of outgoing traffic is derived from the method selected in the IP Selection by Remote Peer section.
◦If Main address or Selected address from topology table are selected in the IP Selection by Remote Peer section, then the source IP when initiating a VPN tunnel is the IP specified for that method.
◦If Calculate IP based on network topology, Statically NATed IP, Use DNS resolving or Use a probing method is chosen in the IP Selection by Remote Peer section, then the source IP when initiating a VPN tunnel is the IP address of the chosen outgoing interface.
◦Manual:
◦Main IP address - The source IP is derived from the General Properties page of the gateway.
◦Selected address from topology table - The chosen IP from the drop down menu becomes the source IP.
◦IP address of chosen interface - The source IP is the same IP of the interface where the traffic is being routed through.

Re: About site-to-site VPN outgoing route selection

AmirArama — Thu, 18 Dec 2025 07:40:41 GMT

Quantum SD-WAN ignores all Link selection settings

Re: About site-to-site VPN outgoing route selection

Steven_Sultana — Thu, 18 Dec 2025 18:39:58 GMT

This is a great point to mention, thank you Amir. So when doing VPN orchestration between Checkpoint Gateways which are centrally managed and which all have and SD-WAN license, SD-WAN ignores all Link selection settings for those relevant gateways.

However, if one of those Checkpoint gateways has a VPN tunnel to another centrally Managed Checkpoint Gateway without SD-WAN license, or to a 3rd party gateway, I imagine that Link selection takes effect. Is this correct?

Re: About site-to-site VPN outgoing route selection

AmirArama — Thu, 18 Dec 2025 18:54:05 GMT

Correct.
*it's less a matter of license, but if SD-WAN policy is installed on the gateway.

Re: About site-to-site VPN outgoing route selection

Steven_Sultana — Thu, 18 Dec 2025 22:40:20 GMT

Thank you Amir for the clarification! Yes, "policy" is more precise than "license" in this case.

And thank you Andy for the reference to Docs and for sharing your experience.

I'm very curious to meet someone who had 1.b or 2.c and had to move away from them due to issues being caused "in the wild."