https://community.checkpoint.com/t5/General-Topics/VPN-preferred-route-policy-based-vs-route-based/m-p/129223#M23580 <P>Why wouldn't you use dynamic routing here?</P> Mon, 13 Sep 2021 01:47:14 GMT PhoneBoy 2021-09-13T01:47:14Z https://community.checkpoint.com/t5/General-Topics/VPN-preferred-route-policy-based-vs-route-based/m-p/128956#M23518 <P>Hello all,</P><P>I have the following scenario:</P><P>DCFW &lt;--Policy-based VPN--&gt; OfficeFW &lt;--Route-based VPN--&gt; AWS</P><P>OfficeFW has one policy-based VPN with Data Center and one route-based VPN with AWS.<BR />10.20.0.0/24 subnet is located in AWS and should be reachable via route-based VPN. There's already static routes added pointing to both AWS peers.<BR />After the DCFW has another VPN with the same AWS VPC, OfficeFW has the same route for 10.20.0.0/24 via policy-based VPN. I would like the traffic from OfficeFW to AWS to go through route-based VPN, but after the policy-based VPN is with priority, the traffic is going through it. Due to the complicated setup in the environment, I'm not able to remove 10.20.0.0/24 from DCFW encryption domain. That's why I added 10.20.0.0/24 in vpn_route.conf to point to AWS-GW1. Here's what we have in static-route configuration:</P><P><EM><STRONG># AWS-GW1</STRONG></EM><BR /><EM><STRONG>set static-route 10.20.0.0/24 nexthop gateway address 169.254.26.1 priority 1 on</STRONG></EM></P><P><EM><STRONG># AWS-GW2</STRONG></EM><BR /><EM><STRONG>set static-route 10.20.0.0/24 nexthop gateway address 169.254.25.1 priority 2 on</STRONG></EM></P><P><EM><STRONG>set static-route 10.20.0.0/24 ping on</STRONG></EM></P><P>As you can imagine with the current vpn_route.conf setup, the route is going via route-based VPN with gateway 169.254.26.1</P><P><EM><STRONG># vpn_route.conf</STRONG></EM><BR /><EM><STRONG># destination router install_on [for comm | force_override]</STRONG></EM><BR /><EM><STRONG>Net_10.20.0.0_24 AWS-GW1 OfficeFW</STRONG></EM></P><P>The question is what I can do to have AWS-GW2 (169.254.25.1) as a backup in case the VPN tunnel with AWS-GW1 is down. I doubt I can add second line like that:<BR />Net_10.20.0.0_24 AWS-GW2 OfficeFW</P><P>Do you know any other methods except vpn_route.conf to have route-based VPN as preferred option over policy-based VPN?</P><P>Thank you!</P> Wed, 08 Sep 2021 14:10:10 GMT https://community.checkpoint.com/t5/General-Topics/VPN-preferred-route-policy-based-vs-route-based/m-p/128956#M23518 mk1 2021-09-08T14:10:10Z https://community.checkpoint.com/t5/General-Topics/VPN-preferred-route-policy-based-vs-route-based/m-p/129223#M23580 <P>Why wouldn't you use dynamic routing here?</P> Mon, 13 Sep 2021 01:47:14 GMT https://community.checkpoint.com/t5/General-Topics/VPN-preferred-route-policy-based-vs-route-based/m-p/129223#M23580 PhoneBoy 2021-09-13T01:47:14Z https://community.checkpoint.com/t5/General-Topics/VPN-preferred-route-policy-based-vs-route-based/m-p/129238#M23582 <P>Maybe I don't understand your point, but how the dynamic routing will help here? Even if enable dynamic routing between AWS and OfficeFW, the route over policy-based VPN will still be the preferred one.</P> Mon, 13 Sep 2021 07:00:10 GMT https://community.checkpoint.com/t5/General-Topics/VPN-preferred-route-policy-based-vs-route-based/m-p/129238#M23582 mk1 2021-09-13T07:00:10Z