Sorry, now the right link: Site to Site VPN R80.10 Administration Guide

Configure Link Selection:

>  Security Gateway Properties > IPsec VPN > Link Selection

Regards

Heiko

Even with third party peers, you can use link selection, set the source to be based on the incoming connection.

ISP redundancy is another thing, but when the other side is capable of trying the other IP you can still use this setting.

Interessing post

Maarten Sjouw‌ can you please elaborate your last comment.

I have a lof of existing s2s via one ISP and I want to test for one third party peer, s2s vpn using one new second ISP line.

Thank you 

About 2 years ago I was in the works to change the external IP of one of our customers and they had quite some 3rd party VPN's (s2s) with other vendor equipment. To arrange a big bang change when you have 5 or more 3rd parties involved located all over the world, you know this will be impossible to achieve. What we came up with was a 2 month period in which we moved all the 3rd parties one by one.

How? Well quite simple actually. first setting to change is the link selection Source IP address setting, (in R77.30 it was also possible to setup the outgoing interface) to Manual and set it to IP Address of chosen interface.

In the OS routing table the default route is either of the 2 ISP's. In our case we direct those IP's of the remote site's to the correct interface, this way the traffic will go out the right interface and use the IP of that ISP. The other side will also use that specific IP to build the tunnel.

Oh great!

Thank you Maarten. It's very clear and I planned to do it like you did 

We have setup ISP redundancy and it seems work bcs we can connect the 2nd ISP IP with smartconsole. However, the VPN is not working. Even i have choose the "Selected address from topology table" IP to the 2nd ISP IP. The log from another side firewall reported "IKE Initiator: Proposed IKE ID mismatch" and further log shows "VPN Policy: VPN_Office2; Local ID: 2nd ISP IP; Remote ID: 1st ISP IP. The checkpoint still answering the 1st ISP IP as and ID. How come ? THX

---

@Maarten_Sjouw wrote:

About 2 years ago I was in the works to change the external IP of one of our customers and they had quite some 3rd party VPN's (s2s) with other vendor equipment. To arrange a big bang change when you have 5 or more 3rd parties involved located all over the world, you know this will be impossible to achieve. What we came up with was a 2 month period in which we moved all the 3rd parties one by one.

How? Well quite simple actually. first setting to change is the link selection Source IP address setting, (in R77.30 it was also possible to setup the outgoing interface) to Manual and set it to IP Address of chosen interface.

In the OS routing table the default route is either of the 2 ISP's. In our case we direct those IP's of the remote site's to the correct interface, this way the traffic will go out the right interface and use the IP of that ISP. The other side will also use that specific IP to build the tunnel.

---

Hi, I am currently in a same kind of situation and wanted to make sure I understood correctly. Ipsec VPN | Link selection page shows first IP Selection by Remote Peer. Should that be Calculate IP based on network topology? All others seem to be impossible solutions, when s2s connections would arrive in two interfaces.

Check Point manual recommends route based probing when using multiple ISP's for s2s's, but did you use just the OS routing table + source ip address setting of "IP address of chosen interface"?

Hi SamiH,

Did you ever get ISP redundancy working with Checkpoint and third party VPN?

If so what settings did you use for link selection?

@Kevin_Zeitler 

Look at ISP Redundancy "Apply settings for VPN traffic" is not working with 3rd party vendors 

But you can probe the availability of your remote third party vpn gateway with enabling of DeadPeerDetection (DPD)

VPN redundancy does not work when establishing an IPsec VPN Tunnel with a third-party peer 

Wolfgang