Paul,

Maybe Im confused about this...are you saying you want to use SAME cp cluster to create different vpn cluster with another cisco gateway as 3rd party appliance or something else?

Andy

We would just like to define a second external gateway to connect too should the primary VPN go down. The external third party has setup this backup gateway. Surely there should be some way to get checkpoint to create the VPN with this alternative gateway with the same IP domain settings in the event the primary fails. Our checkpoint cluster already has its own resilience with two appliances some distance apart and dual separate Internet pipes.   

AFAIK two third party remote peers using same VPN topology (ipsec phase 2 protected networks) is not possible.
As Phoneboy mentioned, it is done by creating route based VPN and VTIs.

That's what I thought. I have never setup a VTI VPN, but from what I have read it looks to me like a route based VPN would not be as secure as a policy based VPN.

I don't know what security aspects would speak against route based VPN, so that one could not use it.

Ok, I am going to throw this out there and I could be 100% wrong, but I saw customers do it this way and it does work. So, just for some context, if you were doing this on Fortigate OR Cisco, you could set up brand new vpn tunnel WITHOUT always having to use same encryption domain, but sadly, in Check Point, thats not possible, as you have to define it on gateway object itself. Personally, I dont even think thats needed, as you could leave it by default (all IP addresses behind the firewall). In reality, what controls the traffic are the rules, not the encryption domain for VPN. So technically, that way, you could have same gateway used as backup, just would need a different rule to control the traffic within that separate vpn community. There is an option for backup gateway in global properties and object itself,BUT, thats only for remote access VPN...NOT site to site VPN.

I honestly cant think of any other logical way to do this without changing the type of VPN. Anyway, Im happy to do remote session and see if I can help you. Message me privately and we can set something up.

Cheers!

Andy

Security wise, if we used VTIs the third party wants us to allow a real /17 range of real IP addresses & we would be allowing dynamic routing protocols that we don't currently use.

It seems to me that Checkpoint is lacking in this area compared to competitors. 

Ottawacanada150, briefly, how would you define the backup gateway to the VPN? 

Of course its lacking in this area, its always been like that, sadly :(. Anyway, for backup feature, but again, keep in mind, this ONLY applies to client to site vpn...under global properties -> vpn -> advanced -> enable backup gateway, then swing over to fw object and once you open the object itself, under vpn, you will see option to choose backup gateway -> enable that and choose the right backup gateway, push policy. Steps would be something like this:

• Add backup gateway to Remote Access VPN community
• Enable backup gateway option in global properties
• Configure backup gateway setting on primary gateway/cluster object
•  Edit $FWDIR/conf/trac_client_1.ttm to remove MEP disable override (this is NOT on mgmt, but gateway ONLY)
• Install policy
• Test VPN to primary
• Test VPN to backup
• Test VPN failover