topic Re: VPN Site2Site, 2 Tunnels in General Topics

VPN Site2Site, 2 Tunnels

Ayoub_Bou — Mon, 21 Jul 2025 13:22:20 GMT

Hello,

I need to setup 2 Tunnels toward a partner( from Checkpoint R81.20 to Cisco ASA); how can i achieve failover from first tunnel to second in case of failure? (Attached the schema).

Regards;

Re: VPN Site2Site, 2 Tunnels

the_rock — Mon, 21 Jul 2025 18:36:20 GMT

To me, based on what you attached, seems like it would make sense to set one meshed community and have all 3 gateways included (2 Cisco sites would be presented as interoperable objects). That way, if say one Cisco side goes down, tunnel would still work to the other one.

Andy

Re: VPN Site2Site, 2 Tunnels

Ayoub_Bou — Tue, 22 Jul 2025 09:48:10 GMT

Hello,

Thank you for your reply, is there any SK on how to configure this?

Re: VPN Site2Site, 2 Tunnels

Martijn — Tue, 22 Jul 2025 10:26:24 GMT

Hi,

Consider using tunnel interfaces (VTI's) and a routing protocol (OSPF).

If a VTI goes down, OSPF will use the other VTI to route traffic.

Regards,
Martijn

Re: VPN Site2Site, 2 Tunnels

the_rock — Tue, 22 Jul 2025 11:15:42 GMT

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_SitetoSiteVPN_AdminGuide/CP_R82_SitetoSiteVPN_AdminGuide.pdf

Re: VPN Site2Site, 2 Tunnels

Ayoub_Bou — Tue, 22 Jul 2025 14:34:43 GMT

it's impossible to have the same encryption domain to 2 different interoperable objects

Re: VPN Site2Site, 2 Tunnels

the_rock — Tue, 22 Jul 2025 14:36:21 GMT

Sure you can.

Re: VPN Site2Site, 2 Tunnels

the_rock — Tue, 22 Jul 2025 14:44:01 GMT

Btw, I would do what @Martijn suggested, makes total sense. Also, you can set enc domains as empty group for everything (Cisco and CP), but make sure traffic is controlled with the correct rule, ie include whatever subnets need to participate.

Andy

Re: VPN Site2Site, 2 Tunnels

Ayoub_Bou — Wed, 23 Jul 2025 07:55:02 GMT

Hi, thank you for your reply, i only manage the checkpoint cluster, ospf neeed to be configured on cisco ASA(managed by partner) as well?

Re: VPN Site2Site, 2 Tunnels

Martijn — Wed, 23 Jul 2025 08:00:22 GMT

Hi,

Yes, OSPF needs to be configured on both end of the VPN tunnel.

Regards,
Martijn

Re: VPN Site2Site, 2 Tunnels

Ayoub_Bou — Wed, 23 Jul 2025 14:55:08 GMT

Hello,

routing with VTI is difficult to implement, our partner is not too technical, i found in a threat that it's possible, 1 community ,2 interoperable GW, same encryption domain,

2 VPN's Same Remote Encryption Domain - Check Point CheckMates

Re: VPN Site2Site, 2 Tunnels

the_rock — Wed, 23 Jul 2025 15:02:36 GMT

Its actually pretty simply. But, I mean, like anything in life, things are easy when you know it : - ). Anyway, check out link I posted while back about doing this for Azure vpn tunnel, hope it helps.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-tunnel-to-Azure/m-p/206179/emcs_t/S2h8ZW1haWx8dG9waWNfc3Vic2NyaXB0aW9ufExTTjlYV1FXMUlGQVNMfDIwNjE3OXxTVUJTQ1JJUFRJT05TfGhL#M38950

Re: VPN Site2Site, 2 Tunnels

JozkoMrkvicka — Thu, 24 Jul 2025 06:24:54 GMT

The solution is to use explicit MEP (Multiple Entry Point) feature inside VPN Community settings.

Site1 and Site2 will use the same VPN encryption domain. Inside MEP settings, Site1 can be set as Primary gateway and in case Site1 is not responding, VPN will switch to use Site2.

There is also option to use implicit MEP where you can choose which gateway should be used as primary and which as backup.

Re: VPN Site2Site, 2 Tunnels

the_rock — Thu, 24 Jul 2025 10:48:01 GMT

You got it! @Ayoub_Bou , implicit MEP option would be used if vpn domains overlap.

Andy

Re: VPN Site2Site, 2 Tunnels

Ayoub_Bou — Fri, 25 Jul 2025 08:51:43 GMT

Hello,

in my environement, there is one single entry( Checkpoint Cluster), and the satellilte gateways are not managed by me

Re: VPN Site2Site, 2 Tunnels

Ayoub_Bou — Fri, 25 Jul 2025 08:55:09 GMT

Hello Andy,

domain overlap is on the peer side ( Cisco ASA), i can't configure MEP on my side, i dont know if traffic failsover automaticly with this config ( schema attached)

Re: VPN Site2Site, 2 Tunnels

JozkoMrkvicka — Sat, 26 Jul 2025 06:43:08 GMT

Hi,

Just swap Center gateways with Satellite Gateways each other.