topic Re: Question about VPN S2S Permanent Tunnel in General Topics

Question about VPN S2S Permanent Tunnel

RemoteUser — Thu, 19 Mar 2026 13:28:14 GMT

Hi Mates,
Simple question here:
Is the permanent tunnel feature for a site-to-site VPN is enabled via GuiDBEdit, or am I missing something?

Re: Question about VPN S2S Permanent Tunnel

the_rock — Thu, 19 Mar 2026 13:29:31 GMT

Hey brother,

No need, just enable it via tunnel management in community settings in smart console.

Re: Question about VPN S2S Permanent Tunnel

Tal_Paz-Fridman — Thu, 19 Mar 2026 13:32:52 GMT

And you can obviously also use the relevant Management API commands:

https://sc1.checkpoint.com/documents/latest/APIs/index.html?#cli/add-vpn-community-meshed~v2.1%20

https://sc1.checkpoint.com/documents/latest/APIs/index.html?#cli/set-vpn-community-star~v2.1%20

Re: Question about VPN S2S Permanent Tunnel

RemoteUser — Thu, 19 Mar 2026 13:36:07 GMT

But I remembered that sometimes I saw it done in GuiDBEdit as well. Under what circumstances should this be done?

Re: Question about VPN S2S Permanent Tunnel

the_rock — Thu, 19 Mar 2026 13:39:01 GMT

I believe ever since R80.30 or R80.40, its enabled automatically in guidbedit once you set it as permanent tunnel.

Re: Question about VPN S2S Permanent Tunnel

RemoteUser — Thu, 19 Mar 2026 13:48:13 GMT

ok thank you brother, i'll double check also with TAC

Re: Question about VPN S2S Permanent Tunnel

the_rock — Thu, 19 Mar 2026 13:56:29 GMT

Sure thing, though Im fairly positive thats the case.

Re: Question about VPN S2S Permanent Tunnel

PhoneBoy — Thu, 19 Mar 2026 15:50:47 GMT

In R81, DPD became the default (i.e. not something you have to enable with guidbedit), as mentioned in Scenario 5 here: https://support.checkpoint.com/results/sk/sk108600
Not sure if this applies if the management was upgraded from a pre-R81 release or not.

In any case, you still have to enable "Permanent Tunnels" in the relevant VPN community.

Re: Question about VPN S2S Permanent Tunnel

RemoteUser — Fri, 20 Mar 2026 09:26:32 GMT

Reading the admin guide here: https://sc1.checkpoint.com/documents/R82.10/WebAdminGuides/EN/CP_R82.10_SitetoSiteVPN_AdminGuide/Content/Topics-VPNSG/Tunnel-Management.htm?tocpath=Tunnel%20Management%7C_____0#Tunnel_Management

It appears that a Permanent Tunnel can only be established when both peers in the site-to-site VPN are Check Point gateways.

In cases where the peer is a non–Check Point gateway, it is necessary to enable PDP (Permanent Tunnel via DPD). From what I understand, this configuration seems to require enabling it through GuiDBEdit.

Insight from the guide:

Permanent Tunnels can only be established between Check Point Security Gateways.
Dead Peer Detection (DPD) is a different method to test if VPN tunnels are active. Dead Peer Detection does support third-party Security Gateways and supports permanent tunnels with interoperable devices based on IKEv1/IKEv2 DPD (IKEv1 DPD is based on RFC 3706).

To enable DPD monitoring:

On each VPN gateway in the VPN community, configure the tunnel_keepalive_method property, in Database Tool (GuiDBEdit Tool) or dbedit (see skI3301). This includes third-party gateways. (You cannot configure different monitor mechanisms for the same gateway).

In Database Tool (GuiDBEdit Tool), go to Network Objects > network_objects > <Name of Security Gateways object> > VPN.

For the Value, select a permanent tunnel mode.

Save all the changes.

Install the Access Control Policy.

Re: Question about VPN S2S Permanent Tunnel

the_rock — Fri, 20 Mar 2026 11:50:53 GMT

Its true thats what it says, but in reality, it works fine with any other vendor and no need to change anything in guidbedit once you enable permanent tunnel setting.

Re: Question about VPN S2S Permanent Tunnel

PhoneBoy — Mon, 23 Mar 2026 16:39:00 GMT

Sounds like an area where the documentation might need to be updated.
Tagging @Sergei_Shir

Re: Question about VPN S2S Permanent Tunnel

RemoteUser — Mon, 23 Mar 2026 16:58:15 GMT

Hey, bro,
So why does the administrative guide mention it? I don't get it.

Re: Question about VPN S2S Permanent Tunnel

Gil_Frantsus — Thu, 16 Apr 2026 09:53:09 GMT

Hello,

We have updated the Site-to-Site VPN Admin Guide, removed the GuiDBedit instructions and added a note:

Starting in R81.20, when you create the interoperable device object for the 3rd Party VPN gateway, DPD is automatically set as the permanent tunnel method.

Thank you for your feedback.

Re: Question about VPN S2S Permanent Tunnel

RemoteUser — Fri, 24 Apr 2026 08:38:41 GMT

Hi @Gil_Frantsus thank you!