This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ayoub_Bou
Explorer
‎2025-07-21 06:10 AM

VPN Site2Site, 2 Tunnels

Hello,

 

I need to setup 2 Tunnels  toward a partner( from Checkpoint R81.20 to Cisco ASA); how can i achieve  failover from first tunnel to second in case of failure? (Attached the schema).

 

Regards; 

Preview file
27 KB
0 Kudos
16 Replies
the_rock
MVP Diamond
MVP Diamond
‎2025-07-21 11:35 AM

To me, based on what you attached, seems like it would make sense to set one meshed community and have all 3 gateways included (2 Cisco sites would be presented as interoperable objects). That way, if say one Cisco side goes down, tunnel would still work to the other one.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Ayoub_Bou
Explorer
‎2025-07-22 02:48 AM
In response to the_rock

Hello,

 

Thank you for your reply, is there any SK on how to configure this?

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-07-22 04:15 AM
In response to Ayoub_Bou

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_SitetoSiteVPN_AdminGuide/CP_R82_Si...

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Ayoub_Bou
Explorer
‎2025-07-22 07:34 AM
In response to the_rock

it's impossible to have the same encryption domain to 2 different interoperable objects

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-07-22 07:36 AM
In response to Ayoub_Bou

Sure you can.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-07-22 07:44 AM
In response to Ayoub_Bou

Btw, I would do what @Martijn suggested, makes total sense. Also, you can set enc domains as empty group for everything (Cisco and CP), but make sure traffic is controlled with the correct rule, ie include whatever subnets need to participate.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Martijn
MVP
MVP
‎2025-07-22 03:26 AM

Hi,

Consider using tunnel interfaces (VTI's) and a routing protocol (OSPF).

If a VTI goes down, OSPF will use the other VTI to route traffic.

Regards,
Martijn


(1)
Ayoub_Bou
Explorer
‎2025-07-23 12:55 AM
In response to Martijn

Hi, thank you for your reply, i only manage the checkpoint cluster, ospf neeed to be configured on cisco ASA(managed by partner) as well?

0 Kudos
Martijn
MVP
MVP
‎2025-07-23 01:00 AM
In response to Ayoub_Bou

Hi,

Yes, OSPF needs to be configured on both end of the VPN tunnel.

Regards,
Martijn

Ayoub_Bou
Explorer
‎2025-07-23 07:55 AM
In response to Martijn

Hello,

 

routing with VTI is difficult to implement, our partner is not too technical, i found in a threat that it's possible, 1 community ,2 interoperable GW, same encryption domain, 

 

2 VPN's Same Remote Encryption Domain - Check Point CheckMates

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-07-23 08:02 AM
In response to Ayoub_Bou

Its actually pretty simply. But, I mean, like anything in life, things are easy when you know it : - ). Anyway, check out link I posted while back about doing this for Azure vpn tunnel, hope it helps.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-tunnel-to-Azure/m-p/206179/emc...

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
JozkoMrkvicka
Authority
Authority
‎2025-07-23 11:24 PM

The solution is to use explicit MEP (Multiple Entry Point) feature inside VPN Community settings.

Site1 and Site2 will use the same VPN encryption domain. Inside MEP settings, Site1 can be set as Primary gateway and in case Site1 is not responding, VPN will switch to use Site2.

There is also option to use implicit MEP where you can choose which gateway should be used as primary and which as backup.

Kind regards,
Jozko Mrkvicka
the_rock
MVP Diamond
MVP Diamond
‎2025-07-24 03:48 AM
In response to JozkoMrkvicka

You got it! @Ayoub_Bou , implicit MEP option would be used if vpn domains overlap.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Ayoub_Bou
Explorer
‎2025-07-25 01:55 AM
In response to the_rock

Hello Andy,

 

domain overlap is on the peer side ( Cisco ASA), i can't configure MEP on my side,  i dont know if traffic failsover automaticly with this config ( schema attached) 

Preview file
49 KB
Preview file
66 KB
0 Kudos
Ayoub_Bou
Explorer
‎2025-07-25 01:51 AM
In response to JozkoMrkvicka

Hello,

in my environement, there is one single entry( Checkpoint Cluster), and the satellilte gateways are not managed by me

 

Preview file
66 KB
Preview file
49 KB
0 Kudos
JozkoMrkvicka
Authority
Authority
‎2025-07-25 11:43 PM
In response to Ayoub_Bou

Hi,

Just swap Center gateways with Satellite Gateways each other.

Kind regards,
Jozko Mrkvicka
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events