Yep, Exactly but it would be an improvement to choose the link selection by community VPN of course always Based of Routing. To prevent this type of issues as sk173048.

I hope that will be in roadmap all those features.

Regards,

Correct - This has always been an issue with VPN redundancy with 3rd party devices. Even if Check Point has multiple ISP links we wont able to utilize all those to configure redundant VPN tunnel.

I've been waiting for that feature, because is very difficult to use all external ISP from the customer. Can we have any updates in R81.30 PhoneBoy?

That will fix a link selection issue. 

I've been waiting for that feature, because is very difficult to use all external ISP for 3rd Party VPN. Can we have any updates in R81.30?

That will fix a link selection issue. 

That is always been a issue and I shifted to other solution when there is such need where I wanted to consume both the ISP links for VPN tunnels.

Hi idants,

Great!! I'll be ready for any updates and more about Link Selection into a  VPN Community for 3rd Party GW VPN.

Best regards,

Hello idants 

Any news about this?

Well - we have so many customers are waiting for this feature and big adoption of cloud has really made this impossible to stay with one IP hence I managed to move tunnels on other devices which offers much more flexibility in configuring the tunnels.

I believe this feature is planned for R82.

This new feature is planned to be released as part of R82.

Some of the VPN capabilities are already available as part of SDWAN (R81.20).

You are welcome to share the exact use-case offline to understand if it might work.

Does this include VPN backup so that if the primary remote unit is down it will attempt to use the backup VPN device?

Hello @idants,

Use case: CheckPoint gateway "FW01" working as Internet Perimter fw, has two or more external interfaces. This gateway has s2s vpn's with many different third party gateways through all its ISP connections. FW01 can send only one IP address as its IKE Main Mode ID. Let's say we use external IP of ISP1 as our IKE Main Mode ID, all the remote peers that connect to ISP2 or ISP3 will receive a "wrong" IP address as IKE Main Mode ID. In these cases it brings additional complexity to the vpn, because in my experience this parameter is almost never configured manully, it is left as default, so we have to explain to third party admins what this parameter is, why we send a different IP address and ask to fix this on their end, because we can not do it on our side. In case this gateway has a WAN (different interface/IP) connection which also builds s2s vpn's with third parties it becomes more complex even.

It becomes more restrictive in case the same FW01 builds vpn's with other centrally managed gateways, where we normally would use Link Selection to have redundancy, but if we use HA or LS, it makes FW01 send the main ip adress as Main Mode ID mandatory.

Regards 

Really  - Did that work?

Hmmm - Let me try that out and see.