https://community.checkpoint.com/t5/General-Topics/VPN-on-DAIP/m-p/275886#M46055 <P>See if below helps.</P> <P><A href="https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-site-to-site-with-Remote-Peer-Dynamic-IP/m-p/180681#M33028" target="_blank">https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-site-to-site-with-Remote-Peer-Dynamic-IP/m-p/180681#M33028</A></P> Tue, 21 Apr 2026 13:33:46 GMT the_rock 2026-04-21T13:33:46Z https://community.checkpoint.com/t5/General-Topics/VPN-on-DAIP/m-p/275873#M46047 <P>&nbsp;</P><P>hi,</P><P>&nbsp;</P><P>Im currently helping a customer with a site to site vpn, between to quantum spark gateways, where one is DAIP.</P><P>After registereing a ddns address, i can easily log on and manage it, and it has&nbsp; a rulebase.</P><P>But we are struggling to get the vpn up and running, with only a generic "ike failure, error occured" message when we initiate traffic.</P><P>&nbsp;</P><P>I havent been able to find much documentation on how to properly set this up, and best practices, so i hope i might get some good feedback on here.</P><P>&nbsp;</P><P>the gateways are both centrally managed from the same mgmt server.</P><P>&nbsp;</P><P>Br,</P> Tue, 21 Apr 2026 11:10:10 GMT https://community.checkpoint.com/t5/General-Topics/VPN-on-DAIP/m-p/275873#M46047 KM1895 2026-04-21T11:10:10Z https://community.checkpoint.com/t5/General-Topics/VPN-on-DAIP/m-p/275874#M46048 <P>Did you set permanent tunnels on the gateway? Do you have the link selection configured all good on both ends? Which end are you sending traffic from to test?</P> Tue, 21 Apr 2026 11:19:08 GMT https://community.checkpoint.com/t5/General-Topics/VPN-on-DAIP/m-p/275874#M46048 emmap 2026-04-21T11:19:08Z https://community.checkpoint.com/t5/General-Topics/VPN-on-DAIP/m-p/275875#M46049 <P>hi,</P><P>&nbsp;</P><P>I set permanent tunnels, yes.</P><P>Link selection on DAIP is set to dns resolving, with the ddns.net address put in. Havent changed link selection on center gateway, as that is not a DAIP.</P><P>&nbsp;</P><P>We are initiation traffic from the DAIP gateway, as that is the way the traffic is meant to flow, and also the only supported way, if i remember correctly.</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 21 Apr 2026 11:22:37 GMT https://community.checkpoint.com/t5/General-Topics/VPN-on-DAIP/m-p/275875#M46049 KM1895 2026-04-21T11:22:37Z https://community.checkpoint.com/t5/General-Topics/VPN-on-DAIP/m-p/275878#M46050 <P>Link selection is still relevant to the non DAIP gateway - is the main IP on the general page of the gateway properties the internet IP? If not, you will need to set the correct external IP in link selection on that gateway and install policy to both of them. Or set the main IP to the internet IP and push policy to both.</P> Tue, 21 Apr 2026 12:16:57 GMT https://community.checkpoint.com/t5/General-Topics/VPN-on-DAIP/m-p/275878#M46050 emmap 2026-04-21T12:16:57Z https://community.checkpoint.com/t5/General-Topics/VPN-on-DAIP/m-p/275884#M46053 <P>yes, the link selection is correct for the non daip. this vpn community is already in production with other satelite gateways, and working..its just this DAIP gateway we are struggling with.</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 21 Apr 2026 13:21:38 GMT https://community.checkpoint.com/t5/General-Topics/VPN-on-DAIP/m-p/275884#M46053 KM1895 2026-04-21T13:21:38Z https://community.checkpoint.com/t5/General-Topics/VPN-on-DAIP/m-p/275886#M46055 <P>See if below helps.</P> <P><A href="https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-site-to-site-with-Remote-Peer-Dynamic-IP/m-p/180681#M33028" target="_blank">https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-site-to-site-with-Remote-Peer-Dynamic-IP/m-p/180681#M33028</A></P> Tue, 21 Apr 2026 13:33:46 GMT https://community.checkpoint.com/t5/General-Topics/VPN-on-DAIP/m-p/275886#M46055 the_rock 2026-04-21T13:33:46Z https://community.checkpoint.com/t5/General-Topics/VPN-on-DAIP/m-p/275910#M46059 <P>OK, if there's no useful information in the VPN logs for the key exchange failure specifically, it's time to get some VPN debug logs and open a TAC case so they can help figure it out.</P> <P><A href="https://support.checkpoint.com/results/sk/sk62482" target="_blank">https://support.checkpoint.com/results/sk/sk62482</A></P> <P>&nbsp;</P> Wed, 22 Apr 2026 02:50:42 GMT https://community.checkpoint.com/t5/General-Topics/VPN-on-DAIP/m-p/275910#M46059 emmap 2026-04-22T02:50:42Z