This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
hugothebas
Collaborator
Collaborator
‎2026-03-12 07:01 AM

Enhanced Link Selection Route Based IPSEC VPN

Hello, friends.

I'm trying to set up a Route-Based IPsec VPN between Check Point and FortiGate using Enhanced Link Selection and BGP.

Both sides have 2 ISPs. On the Check Point side, I've configured Enhanced Link Selection as Active/Active and added both peer IPs to the Interoperable Device -> Topology.


Community SettingsCommunity Settings

 

Check Point Enhanced Link SelectionCheck Point Enhanced Link Selection

 

3rd Party Enhanced Link Selection3rd Party Enhanced Link Selection

 

Interoperable Device TopologyInteroperable Device Topology

 

The issue is that this setup only provides one VTI. While Check Point seems to "float" this VTI between the two ISPs, FortiGate requires a dedicated VTI (Phase 1) for each tunnel to work properly with BGP.

I found a similar discussion here (IPsec Enhanced Mode tunnel redundancy), but it focuses on Domain-Based VPN. I’ve already tested Domain-Based, but the failover is too slow (over a minute) and unreliable for our needs.

I previously tried the "old school" method of creating two separate Interoperable Devices, but it was unstable and seems to defeat the purpose of Enhanced Link Selection.

Is there a way to achieve fast BGP convergence using VTIs while still leveraging Enhanced Link Selection, or am I hitting a limitation of how CP interacts with 3rd-party VTIs?

Thanks in advance.


Best Regards,
Hugo Thebas
0 Kudos
10 Replies
the_rock
MVP Diamond
MVP Diamond
‎2026-03-12 07:06 AM

I would put empty group vpn domain in interoperable object setting, rather than all IPs.

Best,
Andy
"Have a great day and if its not, change it"
hugothebas
Collaborator
Collaborator
‎2026-03-12 07:19 AM
In response to the_rock

Thanks for the answer, Andy.

I think community settings overrides that configuration, doesn't it?


Best Regards,
Hugo Thebas
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-03-12 07:21 AM
In response to hugothebas

Not 100% sure, but if you are able to manually edit it, you can try that.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
hugothebas
Collaborator
Collaborator
‎2026-03-12 07:29 AM
In response to the_rock

I surely can do it, but this wouldn't solve the VTI issue, maybe it could improve domain based setup, I definitely can try that if BGP is really not possible, I just want to be sure. 


Best Regards,
Hugo Thebas
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-03-12 07:31 AM
In response to hugothebas

I personally always found BGP works better in this case when using unnumbered VTIs.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
hugothebas
Collaborator
Collaborator
‎2026-03-12 08:07 AM
In response to the_rock

It doesn't matter if I use numbered or unnumbered VTi, since I need to to define the peer name to match the Interoperable Device Object, I cannot create more than one VTI, unless it's possible to create 2 VTIs matching the same Interoperable device, never tried that, and even if it's possible hw would the gateway know which VTI matches each peer?


Best Regards,
Hugo Thebas
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-03-12 08:31 AM
In response to hugothebas

I dont believe you can do that, but will try later.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-03-12 09:17 AM
In response to the_rock

@hugothebas 

As I suspected, not possible if you use same peer name.

Screenshot_1.png

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
hugothebas
Collaborator
Collaborator
‎2026-03-12 09:24 AM
In response to the_rock

Then I probably hit a limitation. Does it worth opening a TAC case? Maybe they can update the documentation and insert this limitation (if confirmed).


Best Regards,
Hugo Thebas
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-03-12 09:26 AM
In response to hugothebas

I would do that, yes.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events