Hi Simone,

Is it also possible to achieve this using MEP, with the center gateways acting as the peer gateways? And in satellite gateways my checkpoint cluster?

MEP is only available between Check Point gateways.

I'm pretty sure that Cato support VPN route-based with BGP (or eventually static routing); I found a documentation page from Cato official site related to VPN between AWS gateway with redundancy.

Usually if you need redundancy, the best solution (adopted also by cloud provider, Harmony SASE, etc.) is route based vpn with routing protocol.

hi simone,
so i need to create VTI for this right?

Yes, you should create 2 VTIs numbered

Yes you're right.

Have you already configured a route based vpn in the past?

Yes, with AWS the usually provide a file with all the steps to follow, while in this case we don’t have it, which is why I’m asking.

At this point, we also need to inform the other side that we are going to set up a VTI tunnel, since they will need to configure the corresponding networks (169.254.x.x) accordingly as well. Am I right?

Yes, you're right.

AWS provide a TXT file with all the configuration you need to apply, but the steps are the same for every route-based vpn.

Also reported in the admin guide: https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_SitetoSiteVPN_AdminGuide/Content/T...

Hi Simone,
Only for info, i've checked the documentation related to MEP configuration and it seemes to be applied also for 3rd party Gateways:
https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/Topics-VP...

Implementation

MEP is implemented using RDP for Check Point Security Gateways and DPD for 3rd party Gateways / Cloud vendors.

Ok, good to know, I never used DPD for this purpose and, in addition, I don't trust DPD; I've always used Router-based vpn and BGP to implement VPN redundancy, for me is more standard and manageable.