This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dido-Master
Participant
Participant
‎2025-03-27 11:41 AM
Jump to solution

VPN Site2Site

Hello mates!

 

I got a situation!

 

Cenario:

I have one vpn tunnel site2site configure and operational. I need to configure a redundant (second) vpn tunnel with exactly the same configuration except for the source and destination peer address. The problem is, every time the firewall try to establish the connection, it chooses always the first WAN interface as the source even if the source ip address selection is set to  "Automatically chosen according to outgoing interface". I only have one default route configured for the primary link.

 

What should i accomplish to resolve this problem?!

Hardware in use: Checkpoint Quantum Spark 1590

Thanks in advance!

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2025-03-28 03:25 PM
In response to Dido-Master
Jump to solution

I was explaining how the feature works.
Unfortunately, it cannot be used to achieve your goal which, as I understand it, is to create TWO connections to the same encryption domain using different source/destination IPs for both tunnels.

This requires the use of MEP (Multiple Entry Point), among other things which are not currently supported on locally managed Quantum Spark appliances.
ISP Redundancy can be used to use different WAN IPs for a given VPN endpoint (requires multiple Internet connections).

View solution in original post

0 Kudos
11 Replies
the_rock
MVP Gold
MVP Gold
‎2025-03-27 04:48 PM
Jump to solution

I assume its locally managed smb with 2 wan links?

Andy

0 Kudos
Dido-Master
Participant
Participant
‎2025-03-28 12:25 AM
In response to the_rock
Jump to solution

Hi The Rock

 

Yes it is!

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-03-28 04:13 AM
In response to Dido-Master
Jump to solution

Can you send screenshots of how its configured, if possible? Just blur out sensitive data.

Andy

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-03-28 01:41 AM
Jump to solution

Not clear - does it mean even if the first ISP is down, it will not use the second WAN ? What about probing settings?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Dido-Master
Participant
Participant
‎2025-03-28 01:49 AM
In response to G_W_Albrecht
Jump to solution

Hi G_W

 

First: I want to know if it is possible to establish both tunnel up and running according to the cenario i presented.

Secord: If the first condition is possible, how to solve it. Is it necessary to add a new default route for the second link?!

0 Kudos
PhoneBoy
Admin
Admin
‎2025-03-28 02:41 PM
Jump to solution

That's what Automatically Chosen According to Outgoing Interface will do: use the IP address associated with the interface that is used for the "next hop" to reach that address.
Unless you have a specific route configured for the remote encryption domain, the IP associate with your Default Route (i.e. via WAN1) will be used.
Or you configure ISP Redundancy. 

0 Kudos
Dido-Master
Participant
Participant
‎2025-03-28 02:49 PM
In response to PhoneBoy
Jump to solution

Hi PhoneBoy

You're saying that to make both tunnel up and operational i have to configure 2 specific static route instead of depending on the Default route?! 'Cause i already have a specific static route for the second link, but even so, isn't working!

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-03-28 03:02 PM
In response to Dido-Master
Jump to solution

Sounds like that to me.

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2025-03-28 03:25 PM
In response to Dido-Master
Jump to solution

I was explaining how the feature works.
Unfortunately, it cannot be used to achieve your goal which, as I understand it, is to create TWO connections to the same encryption domain using different source/destination IPs for both tunnels.

This requires the use of MEP (Multiple Entry Point), among other things which are not currently supported on locally managed Quantum Spark appliances.
ISP Redundancy can be used to use different WAN IPs for a given VPN endpoint (requires multiple Internet connections).

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2025-03-29 08:40 AM
Jump to solution

Is the remote peer IP also different? The ip you use to setup the tunnel with?

Otherwise you have overlap and it will not work. 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
Dido-Master
Participant
Participant
‎2025-03-31 12:28 AM
In response to Lesley
Jump to solution

Hi Lesley

 

Yes. the remote peer is also different on both tunnels.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events