This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Saranya_0305
Collaborator
‎2025-10-06 12:47 AM
Jump to solution

IPsec VPN between Checkpoint and Remote Server

Dear Mates,

I am having Cluster setup running in R81.10 and Management Server in R81.20.

My firewalls having two ISPs(external interfaces) which are in ISP redundancy mode. 

Now I want to create a IPsec VPN tunnel between Firewall and third party Remote server directly,  it it possible?

If it is possible then how can I use my two ISPs?

- Do I need to make two different IPsec tunnels? If yes, will they  work redundancy mode automatically or we need to manually?

- Can we do FQDN and map those two ISPs to that FQDN and create IPsec tunnel?

 

Can anyone please suggest me?

 

Regards,

Saranya

0 Kudos
2 Solutions

Accepted Solutions
Duane_Toler
MVP Silver
MVP Silver
‎2025-10-07 06:30 AM
Jump to solution

@the_rock gave info on how you can do this with the Endpoint VPN client, but for site-to-site VPNs with 3rd party gateways, this can't be done with pre-shared keys.  If the remote end is willing to do either:

  • Use a certificate issued by your management internal_ca, or
  • Use VTI with IKEv2 and universal tunnels  (likely the better choice)

 

With certificate, the remote end can allow your side to appear as a "dynamic IP" VPN peer and allow authentication to rely on the certificate. However, now that we have VTIs and universal tunnels, certificates will be less preferred and instead you should use the VTIs.

The remote end will build 2 VPN gateways for each of your ISP-provided IPs (or the cluster VIP for each, if you have ISP Redundancy on a cluster).  The encryption domains for both you and them will be empty group objects (or, however the remote device does this).  You'll then create a VTI on your firewall gateway in CLISH, as will the remote peer.  The IPs on the VTIs are irrelevant; VTIs are just point-to-point links and any packet you send to that VTI device will be encrypted and sent to the specified remote peer (specified in the VTI configuration).

You can use static routing with either primary/secondary priority, or just let it be equal-cost; doesn't matter either way.  This is how you do an AWS VPNgw redundant VPN, too.

The remote peer does the same thing, only in reverse, with a VTI on their side.  They will add static route for your VPN networks across the VTI.  Configure the VPN community tunnel management as "one tunnel per gateway pair" and you're done.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

View solution in original post

(1)
8 Replies
the_rock
MVP Platinum
MVP Platinum
‎2025-10-06 04:28 AM
Jump to solution

I believe it would have to be manual option, unless you have routes with different priorities, so if main one fails, then other one will take over. Here is my reasoning for it...if you think about it logically, say you have VPN with Cisco or Fortinet or PAN, whatever really. IF main link fails, well, there is no way other side would "know" about new ISP link, so tunnel would never re-establish.

Hope that helps.

Andy

Best,
Andy
0 Kudos
Saranya_0305
Collaborator
‎2025-10-07 02:35 AM
In response to the_rock
Jump to solution

Can we map two different vendor ISPs IP to single FQDN and make VPN tunnel?

Regards,

Saranya

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-10-07 03:59 AM
In response to Saranya_0305
Jump to solution

Im fairly sure you can, you just need 2 A records pointing to same fqdn. I know we did this for a customer while back for remote access.

Andy

Best,
Andy
0 Kudos
Saranya_0305
Collaborator
‎2025-10-07 04:07 AM
In response to the_rock
Jump to solution

Thanks @the_rock , Can you please share any related SK or document?

 

Regards,

Saranya

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-10-07 04:10 AM
In response to Saranya_0305
Jump to solution

I know there were 2, one I can easily find, but will check the 2nd one later and update you.

Andy

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-10-07 05:39 AM
In response to Saranya_0305
Jump to solution

There you go.

Andy

https://support.checkpoint.com/results/sk/sk103440
https://support.checkpoint.com/results/sk/sk131612

Best,
Andy
Duane_Toler
MVP Silver
MVP Silver
‎2025-10-07 06:30 AM
Jump to solution

@the_rock gave info on how you can do this with the Endpoint VPN client, but for site-to-site VPNs with 3rd party gateways, this can't be done with pre-shared keys.  If the remote end is willing to do either:

  • Use a certificate issued by your management internal_ca, or
  • Use VTI with IKEv2 and universal tunnels  (likely the better choice)

 

With certificate, the remote end can allow your side to appear as a "dynamic IP" VPN peer and allow authentication to rely on the certificate. However, now that we have VTIs and universal tunnels, certificates will be less preferred and instead you should use the VTIs.

The remote end will build 2 VPN gateways for each of your ISP-provided IPs (or the cluster VIP for each, if you have ISP Redundancy on a cluster).  The encryption domains for both you and them will be empty group objects (or, however the remote device does this).  You'll then create a VTI on your firewall gateway in CLISH, as will the remote peer.  The IPs on the VTIs are irrelevant; VTIs are just point-to-point links and any packet you send to that VTI device will be encrypted and sent to the specified remote peer (specified in the VTI configuration).

You can use static routing with either primary/secondary priority, or just let it be equal-cost; doesn't matter either way.  This is how you do an AWS VPNgw redundant VPN, too.

The remote peer does the same thing, only in reverse, with a VTI on their side.  They will add static route for your VPN networks across the VTI.  Configure the VPN community tunnel management as "one tunnel per gateway pair" and you're done.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
(1)
the_rock
MVP Platinum
MVP Platinum
‎2025-10-07 06:36 AM
In response to Duane_Toler
Jump to solution

I got this document from someone in community while ago, not sure it may help in this case, but here it is anyway 😊

Andy

Best,
Andy
Preview file
369 KB

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events