Thanks for reply!

If I understand you correctly, Secondary Connect already enabled in R77.30. Is that right?
There is no (enable_secondary_connect) section in trac_client_1.ttm file.

As you can see in SK75221 it shows default enabled. This is why I hate manuals that say to add something that is already enabled.

Secondary connect works after I add branch gateway to Remote Access community.

Authorization is performed on the main gateway and when I access to host at the branch site, secondary tunnel established.
But I cannot connect directly to branch gateway, error "site is not responding"

Maybe the reason is certificate installed on branch gateway?

Subject Alternate Names in main gateway internal certificate is public IP address of the gateway, while Subject Alternate Names in branch internal certificate is management (private) IP address of the gateway.

Should I reissue certificate with public IP at Subject Alternate Names?

Although you authenticate the first connection to the primary gateway, every other tunnel will be authenticated with the same credentials. Do you see the second Auth request? What type of authentication do you use?

The cert should not be a problem, as it does not really look at the IP's.

Hi!

I tried two methods of authentication

local account

AD account

Both times I recieved second authentication request, it was successful and the second tunnel was established.

Originally office mode network at branch gateway (10.1.180.0/24) was inside VPN domain (10.1.0.0/16) and I changed it to anoter network. But error was the same: "site is not responding"

At the main office gateway two certificates are installed: from internal CA and from Active Directory (with CN equal to public VPN interface of gateway CN=vpn.mycompanyname.com)

At the branch gateway only internal CA certificate is installed.

Is that certificate nececcary for Secondary Connect VPN scheme, or it is user only for SSL VPN?

Make sure that you do not have any overlap in the VPN domains of the gateways, there is a separate field in the VPN Topology area where you can add a VPN domain explicitly for Remote access. 

At what point do you get the Site not responding?

Secondary connect will make the connecting without any assistance from you, just try to connect (ping) to any device in the second location.

On the second location, make sure that routing for the Office Mode IP range of the primary GW is routed to that secondary gateway. 

the second login is normal, and will only happen once, the next time you login (if you set the login credential caching to a time that is around 1 hour) it will know you and the site and will use the cached credentials.

The certificates are irrelevant for secondary connect, the gateways cert is sufficient.

Thank you, this question is quite clear

I have another one:

I use custers (two gateways in Cluster XL high availability)

There is certificate for cluster from internal CA and there are certificates for both gateways too, but they are expired.

Does this gateways certificates have any matter for Secondary connect?

I can establish tunnel to branch gateway, and have access to branch resources via this tunnel, but I cannot connect to it directly. Is that normal?

when you go into the gateway object to the IP/Sec tab and see that the certificate there is expired you should just click renew. Yes this is needed for all VPN´s that use the certificate.

Always make sure they are valid.

I don´t understand your second question.

Hello, I ask you:

"I can establish tunnel to branch gateway, and have access to branch resources via this tunnel, but I cannot connect to it directly. Is that normal?"

I mean that I can only connect to HQ gateway, when I change gateway to branch gateway in "Gateway" field of Endpoint Security Client, I recieve "site is not responding" error.

I use local Checkpoint user or AD user, error is the same.

When connecting to HQ gateway, I can get access to branch hosts via Secondary Connect tunnel.

As I understand with Secondary Connect I should be able to connect to any gateway in Remote Access community.

Did you add the second gateway to the Remote Access community and did you install policy to that gateway?

You should be able to connect to that gateway directly, if that does not work, check the Remote Access settings in that gateway object and adjust where needed, ie you need to turn on Support Visitor Mode.

Thank you!

You point me to the right direction, I've enabled SSL Network Extender:

I also add Firewall rule to permit ssl traffic to external interface of gateway.

Gateway started to accept SSL connections.

But there is still no connections directly to gateway.

In wireshark I can see SSL communications and ISAKMP communications

ISAKMP communications ends with icmp Destination unreachable (Port unreacheable) messages from client side, although it started successfuly, but after three packets client responced with icmp Destination unreachable (Port unreacheable) messages.

I cannot understand what is missing this time

You need to click the Plus sign in front of VPN Clients then in that list select Remote access:

Here you need to enable Support Visitor Mode.

Support Visitor Mode enabled and it was already enabled.

I also check IKE Properties in Traditional mode configuration...

...and change it to match settings in Global Properties:

And of course I save and install policy after every change of settings

What does tracker show when you filter on the second gateway as destination?

Specially when you know the IP of the client this should help filtering.

PS do make sure you are NOT on the LAN of any of the Check Point FW's in your envirnoment.

Yes, there is something:

traffic to establish VPN to HQ gateway followed implied rule (number zero), although traffic to establish VPN to branch gateway followed other rule.

There was no access to TCP 443 from Internet to branch gateway therefore I had to add specific Firewall rule.

I suppose there should be implied rule for branch gateway too. 

P.S.

answering your comment: I use pure Internet for my tests (3G smartphone acting like access point for my laptop)

You need to make sure visitor mode is turned on on both gateways.

I found what was missing:

https at cluster public ip was occupied with NAT translation to private ip. I change NAT to another ip and connection was almost successful:

I found sk120652

"You cannot receive an office Mode IP address because the security gateway does not have a license f... 

They say that

Restarting Check Point services ("cpstop;cpstart", reboot) on the Active cluster member resolves the issue until a fail-over occurs from the current Active cluster member to the Standby cluster member.

I'm going to restart Checkpoint services on the active cluster member to perform one more check and contact support to get a Hotfix.