Dear Checkpoint and Community,

we are facing S2S-VPN issues that we are not able to resolve at all.

We have two sites where we want to replace our existing non-Checkpoint firewalls with new Checkpoint Quantum Spark appliances and a Checkpoint management server. Also these sites are currently connected via VPN since fileservers and other stuff is located at the "main office" and the people from the branch need to access it.

In order to replace the existing devices we try to setup the appliances at the main office and try to get VPN to work there so that we know the configuration steps before we do the actual migration/deployment. Since we have an IPv4-block available at the main office, we put a dumb switch behind the ISP router and connected our current firewall and the two Checkpoint firewalls to it giving each device a unique public ip-address from our block. The current setup is like folllows (left the current working non-Checkpoint firewall out, since it doesn't matter; also ip addresses have been changed for privacy reasons):

Since the management server is behind the 2000 Appliance, we needed to add the 2000 Appliance it with its local/private ip as the main ip-address to the server, whereas the 1575 Appliance is added with its external/public ip. For this we also added the NAT-rule to the management server object, as described in the documentation:

Internet connection and connection to the management server is working. However when we want to setup a meshed S2S-VPN community (domain based vpn) for the 3 networks 192.168.42.0/24, 192.168.199.0/24 (mainoffice-gateway) and 192.168.99.0/24 (branch-gateway) it is not working. I suspect this is because the mainoffice gateway is added to the management server via its local address and the remote peer wants to connect to that local address. Even though we configured link selection:

It looks like these settings are ignored since "SmartView Monitor" shows the "Peer IP" for the tunnel direction branch-gateway->mainoffice-gateway as the local ip 192.168.42.13 instead of the external ip. Also sometimes the tunnel comes up for a short amount of time and its possible to e.g. ping from mainoffice to branch network but later goes down with an log message e.g.:

The routing tables at the two devices are as follows:

Mainoffice gateway "show route" output:
The 192.168.199.0/24 network is not shown since nothing is connected to the interface at the moment, however you can ping the interface 192.168.199.254 from e.g. 192.168.42.0/24:
S 0.0.0.0/0 via 100.0.0.1, WANX1, cost 0, age 9740
C 127.0.0.0/8 is directly connected, lo
lo
C 192.168.42.0/24 is directly connected, LAN1
LAN1
S 192.168.99.0/24 via 100.0.0.6, WANX1, cost 0, age 9740
C 100.0.0.0/28 is directly connected, WANX1
WANX1

Branch gateway "show route" output:
The 192.168.99.0/24 network is not shown since nothing is connected to the interface at the moment, however you can ping the interface 192.168.99.254 from e.g. the gateway itself:
S 0.0.0.0/0 via 100.0.0.1, DMZ, cost 0, age 423
C 127.0.0.0/8 is directly connected, lo
lo
S 192.168.199.0/24 via 100.0.0.2, DMZ, cost 0, age 423
C 100.0.0.0/28 is directly connected, DMZ
DMZ

There is also a firewall policy installed on the two gateways that allows all traffic from and to the networks specified in the VPN domain / community settings.

Am i missing something here or is it simply not possible to have this kind off setup. Any suggestions where to look next or what could be the issue are welcome since i am completely lost now.

Thanks in advance. Kind regards,