https://community.checkpoint.com/t5/General-Topics/IPsec-VPN-between-Checkpoint-and-Remote-Server/m-p/259229#M43828 <P>Thanks&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/38213">@the_rock</a>&nbsp;, Can you please share any related SK or document?</P><P>&nbsp;</P><P>Regards,</P><P>Saranya</P> Tue, 07 Oct 2025 11:07:56 GMT Saranya_0305 2025-10-07T11:07:56Z https://community.checkpoint.com/t5/General-Topics/IPsec-VPN-between-Checkpoint-and-Remote-Server/m-p/259082#M43788 <P>Dear Mates,</P><P>I am having Cluster setup running in R81.10 and Management Server in R81.20.</P><P>My firewalls having two ISPs(external interfaces) which are in ISP redundancy mode.&nbsp;</P><P>Now I want to create a IPsec VPN tunnel between Firewall and third party Remote server directly,&nbsp; it it possible?</P><P>If it is possible then how can I use my two ISPs?</P><P>- Do I need to make two different IPsec tunnels? If yes, will they&nbsp; work redundancy mode automatically or we need to manually?</P><P>- Can we do FQDN and map those two ISPs to that FQDN and create IPsec tunnel?</P><P>&nbsp;</P><P>Can anyone please suggest me?</P><P>&nbsp;</P><P>Regards,</P><P>Saranya</P> Mon, 06 Oct 2025 07:47:52 GMT https://community.checkpoint.com/t5/General-Topics/IPsec-VPN-between-Checkpoint-and-Remote-Server/m-p/259082#M43788 Saranya_0305 2025-10-06T07:47:52Z https://community.checkpoint.com/t5/General-Topics/IPsec-VPN-between-Checkpoint-and-Remote-Server/m-p/259094#M43793 <P>I believe it would have to be manual option, unless you have routes with different priorities, so if main one fails, then other one will take over. Here is my reasoning for it...if you think about it logically, say you have VPN with Cisco or Fortinet or PAN, whatever really. IF main link fails, well, there is no way other side would "know" about new ISP link, so tunnel would never re-establish.</P> <P>Hope that helps.</P> <P>Andy</P> Mon, 06 Oct 2025 11:28:32 GMT https://community.checkpoint.com/t5/General-Topics/IPsec-VPN-between-Checkpoint-and-Remote-Server/m-p/259094#M43793 the_rock 2025-10-06T11:28:32Z https://community.checkpoint.com/t5/General-Topics/IPsec-VPN-between-Checkpoint-and-Remote-Server/m-p/259200#M43826 <P>Can we map two different vendor ISPs IP to single FQDN and make VPN tunnel?</P><P>Regards,</P><P>Saranya</P> Tue, 07 Oct 2025 09:35:23 GMT https://community.checkpoint.com/t5/General-Topics/IPsec-VPN-between-Checkpoint-and-Remote-Server/m-p/259200#M43826 Saranya_0305 2025-10-07T09:35:23Z https://community.checkpoint.com/t5/General-Topics/IPsec-VPN-between-Checkpoint-and-Remote-Server/m-p/259224#M43827 <P>Im fairly sure you can, you just need 2 A records pointing to same fqdn. I know we did this for a customer while back for remote access.</P> <P>Andy</P> Tue, 07 Oct 2025 10:59:14 GMT https://community.checkpoint.com/t5/General-Topics/IPsec-VPN-between-Checkpoint-and-Remote-Server/m-p/259224#M43827 the_rock 2025-10-07T10:59:14Z https://community.checkpoint.com/t5/General-Topics/IPsec-VPN-between-Checkpoint-and-Remote-Server/m-p/259229#M43828 <P>Thanks&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/38213">@the_rock</a>&nbsp;, Can you please share any related SK or document?</P><P>&nbsp;</P><P>Regards,</P><P>Saranya</P> Tue, 07 Oct 2025 11:07:56 GMT https://community.checkpoint.com/t5/General-Topics/IPsec-VPN-between-Checkpoint-and-Remote-Server/m-p/259229#M43828 Saranya_0305 2025-10-07T11:07:56Z https://community.checkpoint.com/t5/General-Topics/IPsec-VPN-between-Checkpoint-and-Remote-Server/m-p/259230#M43829 <P>I know there were 2, one I can easily find, but will check the 2nd one later and update you.</P> <P>Andy</P> Tue, 07 Oct 2025 11:10:22 GMT https://community.checkpoint.com/t5/General-Topics/IPsec-VPN-between-Checkpoint-and-Remote-Server/m-p/259230#M43829 the_rock 2025-10-07T11:10:22Z https://community.checkpoint.com/t5/General-Topics/IPsec-VPN-between-Checkpoint-and-Remote-Server/m-p/259262#M43830 <P>There you go.</P> <P>Andy</P> <P><A href="https://support.checkpoint.com/results/sk/sk103440" target="_blank">https://support.checkpoint.com/results/sk/sk103440</A><BR /><A href="https://support.checkpoint.com/results/sk/sk131612" target="_blank">https://support.checkpoint.com/results/sk/sk131612</A></P> Tue, 07 Oct 2025 12:39:04 GMT https://community.checkpoint.com/t5/General-Topics/IPsec-VPN-between-Checkpoint-and-Remote-Server/m-p/259262#M43830 the_rock 2025-10-07T12:39:04Z https://community.checkpoint.com/t5/General-Topics/IPsec-VPN-between-Checkpoint-and-Remote-Server/m-p/259275#M43831 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/38213">@the_rock</a>&nbsp;gave info on how you can do this with the Endpoint VPN client, but for site-to-site VPNs with 3rd party gateways, this can't be done with pre-shared keys. &nbsp;If the remote end is willing to do either:</P> <UL> <LI>Use a certificate issued by your management internal_ca, or</LI> <LI>Use VTI with IKEv2 and universal tunnels &nbsp;(likely the better choice)</LI> </UL> <P>&nbsp;</P> <P>With certificate, the remote end can allow your side to appear as a "dynamic IP" VPN peer and allow authentication to rely on the certificate. However, now that we have VTIs and universal tunnels, certificates will be less preferred and instead you should use the VTIs.</P> <P>The remote end will build 2 VPN gateways for each of your ISP-provided IPs (or the cluster VIP for each, if you have ISP Redundancy on a cluster). &nbsp;The encryption domains for both you and them will be empty group objects (or, however the remote device does this). &nbsp;You'll then create a VTI on your firewall gateway in CLISH, as will the remote peer. &nbsp;The IPs on the VTIs are irrelevant; VTIs are just point-to-point links and any packet you send to that VTI device will be encrypted and sent to the specified remote peer (specified in the VTI configuration).</P> <P>You can use static routing with either primary/secondary priority, or just let it be equal-cost; doesn't matter either way. &nbsp;This is how you do an AWS VPNgw redundant VPN, too.</P> <P>The remote peer does the same thing, only in reverse, with a VTI on their side. &nbsp;They will add static route for your VPN networks across the VTI. &nbsp;Configure the VPN community tunnel management as "one tunnel per gateway pair" and you're done.</P> <P>&nbsp;</P> Tue, 07 Oct 2025 13:30:10 GMT https://community.checkpoint.com/t5/General-Topics/IPsec-VPN-between-Checkpoint-and-Remote-Server/m-p/259275#M43831 Duane_Toler 2025-10-07T13:30:10Z https://community.checkpoint.com/t5/General-Topics/IPsec-VPN-between-Checkpoint-and-Remote-Server/m-p/259276#M43832 <P>I got this document from someone in community while ago, not sure it may help in this case, but here it is anyway <span class="lia-unicode-emoji" title=":smiling_face_with_smiling_eyes:">😊</span></P> <P>Andy</P> Tue, 07 Oct 2025 13:36:05 GMT https://community.checkpoint.com/t5/General-Topics/IPsec-VPN-between-Checkpoint-and-Remote-Server/m-p/259276#M43832 the_rock 2025-10-07T13:36:05Z