Hi,

I have two gateways, GW1 & GW2, both are on Gaia R80.20 - Open server running on VmWare. Both gateways are part of Site-to-Site star community as meshed central gateways, connecting 10 other gateways.

Initial configuration was that all IPSEC traffic was going though eht0 WAN ports on both GW1 and GW2. 

Now we have deployed a 1Gbps Ethernet private line (EPL) connecting GW1 and GW2. So I want all traffic between these two gateways to go through EPL, while all other IPSEC traffic in Site-to-Site community to remain intact.

So on GW1 I have port eth4 configured as 172.20.0.1/24 which is connected directly to port eth6 on GW2 configured as 172.20.1.1/24 - ping is working in both directions.

I went with route-based VPN - configured unnumbered VTIs on both GW1 (tied to eth4) and GW2 (tied to eth6). After that I added static routes to each gateway to reach networks behind other gateway through vpnt1.

After the configuration was done, the traffic was going in both directions, but the network speeds were about 10 times less than 1 Gbps.

Upon investigation with Checkpoint support we found out that IPSEC traffic between GW1 and GW2 still originates from eth0 WAN port (which has speed of 150 Mbps) and then it is routed through vpnt1. I see no IPSEC traffic on EPL ports eth4 and eth6, so the 1 Gbps line is not utilized.

What am I missing? Does anyone have experience configuring EPL line in Checkpoint gateways?

Thank you!