- Products
- Learn
- Local User Groups
- Partners
- More
On-Premise SD-WAN Management
Register HereWhat's New in R82.10?
Watch Here AI Security Masters E8:
Claude Mythos: New Era in Cyber Security
CheckMates Go:
The Moment Before
Hi,
We a pair of Checkpoint firewalls running in R82 that is connecting to a 3rd party site in Cisco router over a private MPLS link and IPSEC (Policy based VPN) is running on top of it for security purposes.
Now, we're planning to have another link at the 3rd party for redundancy. Both the links are managed by different vendors.
[Check Point Cluster XL- Active/Standby- R82]
| |
MPLS-1/Active/First ISP MPLS-2/Standby/Secondary ISP
| |
[Cisco Router-1] [Cisco Router-2]
These will be a primary and backup link and no load balancing is being used. Upon the failure of the Active link, the backup link to process the traffic.
On the checkpoint side, I will have created two interoperable objects (one for each ISP) and attach the same encryption group to each. We need to have routes destined for the 3rd party which is going to be the same across both the links with the different next-hop IP address.
Traffic will be initiated from my side as well from the 3rd party also.
1. Is it a correct approach to have the same encryption domain for both the interoperable sites in this case?
2. Should I have to proceed with the Route based VPN or Enhanced Link Selection?
3. Both the encryption domain (if used) and route towards the 3rd party needs to be identical on both the links. How to ensure that upon failure of Link-1, Link-2 is taking over?
Thank you.
It's better to configure a route based vpn, so you can control routing between the two tunnels by using dynamic routing protocol (or static routing with monitoring of the remote peer).
Overlapping of encryption domain will not guarantee you to route the traffic to the right vpn; in this situation it's recommended to use route based vpn
It's better to configure a route based vpn, so you can control routing between the two tunnels by using dynamic routing protocol (or static routing with monitoring of the remote peer).
Overlapping of encryption domain will not guarantee you to route the traffic to the right vpn; in this situation it's recommended to use route based vpn
The same encryption domain to two or more gateways implies a MEP configuration.
Thanks for the info. I believe I can proceed with the Route based VPN which doesn't require Implicit MEP.
The reason is, I see the below limitation in the link you shared above for MEP.
Important - There must be no overlap between the VPN Domain of the Primary Security Gateway and the VPN Domain of the Backup Security Gateways - no IP address can belong to both VPN Domains.
I'd like to establish an IPSEC VPN from the Checkpoint firewalls to the 2 different MPLS/Internal providers. Traffic is going to be initiated from both the sides and encryption domain is going to be identical.
The traffic should traverse via the Active link and in the event of a failure, it should fall back to the secondary link.
Initially, I was of opinion to proceed with the Enhanced Link Selection(ELS) but it seems like same encryption domain might be an issue here.
Can you please advise?
Enhanced Link Selection would be useful if you were doing a single VPN tunnel to one remote end, but the encrypted packets could be routed via mutiple links to get there. It sounds like you want two tunnels to two different remote ends, and for traffic to route over one of them by preference. Hence people are suggesting Route Based VPNs. Route Based VPNs use empty encryption domains to establish, so the concept of overlapping encryption domains is not relevent. Both tunnels will be up, and you will use normal routing protocols established between the gateway and the two endpoints to manage the traffic routing behaviour.
I agree with @emmap ... in route based vpn the encryption domain are no more an issue, the peers negotiate the 0.0.0.0/0.0.0.0 as encyrption domain and everything can be managed with routing (static or dynamic).
Thank you very much for your response.
If a domain or policy-based VPN needs to be configured for any reason, could you please provide the high-level steps involved in this scenario?
I am seeking this information for my understanding 😊
In case of a route based vpn:
Configure to VTI numbered interfaces, assigning ip addresses like this:
CheckPoint VTI id 1 - 169.254.0.1 - Remote peer - 169.254.0.2
CheckPoint VTI id 2 - 169.254.1.1 - remote peer - 169.254.1.2
For each VTI on check point you need to define the peer id (this is the name of the interoperable device of the remote peer that you'll configure in SmartConsole).
Then create a VPN community by adding as the satellite gateways the interoperable devices created for the two remote peers.
In the tunnel management section, select "one tunnel per gateway pair".
For center and satellite gateways, assign an empty group as the encryption domain; this is the only difference compared with a plicy based vpn.
If you want to use dynamic routing, then you can configure BGP protocol (you can follow the advanced routing configuration guide).
If you want to configure static routing, when you configure the static route for the remote network, you define both remote next-hop (in example 169.254.0.2 and 169.254.1.2) and define a priority for these two peers (you can also enable ping option to check which peer is available).
At the end you configure the access policy (if you use BGP remember to configure policy to allow BGP protocol between your checkpoint and the remote peers).
Note that you only actually need the empty encryption domain on one end of the VPN. For example, on both of the satellite gateways for this VPN. This allows you to have route-based VPNs with some peers and domain-based VPNs with other peers.
I wouldn't use 169.254 addresses for VTIs. That block is reserved for APIPA. It would probably work (same as using addresses in 192.0.0/24, 192.0.2/24, 192.88.99/24, 198.18/15, 240/4, or other reserved blocks), but it's not guaranteed to.
When building the access rules, don't specify the VPN community in the rule (leave that column set to "Any Traffic"). Traffic over a VTI doesn't match the community.
Yes, @Bob_Zimmerman you right about access rules and also for the encryption domain, I prefer to manage a VPN completely route-based or completely domain-based just to avoid confusion.
About the IP addressese for VTIs, I always used APIPA addresses (for example if you establish a VPN with AWS, AWS use these kind of IP addresses for VTIs), but you can also use different addresses, I think there aren't any limitation, these VTIs are point-to-point connection.
@simonemantovani wrote:
Yes, @Bob_Zimmerman you right about access rules and also for the encryption domain, I prefer to manage a VPN completely route-based or completely domain-based just to avoid confusion.
Sure, but one gateway often terminates several VPNs. Changes to existing VPNs usually require cross-company coordination, so it's good to know you can do some VPNs with encryption domains and others with routes without them necessarily interfering with each other.
On the topic of IPs selection, AWS, Azure, and GCP all do wildly incorrect things with networking. They are constant sources of problems for other companies.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count |
|---|---|
| 12 | |
| 6 | |
| 4 | |
| 3 | |
| 3 | |
| 3 | |
| 3 | |
| 2 | |
| 2 | |
| 1 |
Tue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY