topic Re: VPN Site2Site in Spark Firewall (SMB)

VPN Site2Site

Dido-Master — Thu, 27 Mar 2025 18:41:29 GMT

Hello mates!

I got a situation!

Cenario:

I have one vpn tunnel site2site configure and operational. I need to configure a redundant (second) vpn tunnel with exactly the same configuration except for the source and destination peer address. The problem is, every time the firewall try to establish the connection, it chooses always the first WAN interface as the source even if the source ip address selection is set to "Automatically chosen according to outgoing interface". I only have one default route configured for the primary link.

What should i accomplish to resolve this problem?!

Hardware in use: Checkpoint Quantum Spark 1590

Thanks in advance!

Re: VPN Site2Site

the_rock — Thu, 27 Mar 2025 23:48:40 GMT

I assume its locally managed smb with 2 wan links?

Andy

Re: VPN Site2Site

Dido-Master — Fri, 28 Mar 2025 07:25:38 GMT

Hi The Rock

Yes it is!

Re: VPN Site2Site

G_W_Albrecht — Fri, 28 Mar 2025 08:41:29 GMT

Not clear - does it mean even if the first ISP is down, it will not use the second WAN ? What about probing settings?

Re: VPN Site2Site

Dido-Master — Fri, 28 Mar 2025 08:51:12 GMT

Hi G_W

First: I want to know if it is possible to establish both tunnel up and running according to the cenario i presented.

Secord: If the first condition is possible, how to solve it. Is it necessary to add a new default route for the second link?!

Re: VPN Site2Site

the_rock — Fri, 28 Mar 2025 11:13:33 GMT

Can you send screenshots of how its configured, if possible? Just blur out sensitive data.

Andy

Re: VPN Site2Site

PhoneBoy — Fri, 28 Mar 2025 21:41:18 GMT

That's what Automatically Chosen According to Outgoing Interface will do: use the IP address associated with the interface that is used for the "next hop" to reach that address.
Unless you have a specific route configured for the remote encryption domain, the IP associate with your Default Route (i.e. via WAN1) will be used.
Or you configure ISP Redundancy.

Re: VPN Site2Site

Dido-Master — Fri, 28 Mar 2025 21:52:13 GMT

Hi PhoneBoy

You're saying that to make both tunnel up and operational i have to configure 2 specific static route instead of depending on the Default route?! 'Cause i already have a specific static route for the second link, but even so, isn't working!

Re: VPN Site2Site

the_rock — Fri, 28 Mar 2025 22:02:16 GMT

Sounds like that to me.

Andy

Re: VPN Site2Site

PhoneBoy — Fri, 28 Mar 2025 22:25:07 GMT

I was explaining how the feature works.
Unfortunately, it cannot be used to achieve your goal which, as I understand it, is to create TWO connections to the same encryption domain using different source/destination IPs for both tunnels.

This requires the use of MEP (Multiple Entry Point), among other things which are not currently supported on locally managed Quantum Spark appliances.
ISP Redundancy can be used to use different WAN IPs for a given VPN endpoint (requires multiple Internet connections).

Re: VPN Site2Site

Lesley — Sat, 29 Mar 2025 15:40:11 GMT

Is the remote peer IP also different? The ip you use to setup the tunnel with?

Otherwise you have overlap and it will not work.

Re: VPN Site2Site

Dido-Master — Mon, 31 Mar 2025 15:09:46 GMT

Hi Lesley

Yes. the remote peer is also different on both tunnels.