Hello Checkmates community!  I am having some trouble getting a site-to-site VPN working and I hope that someone can confirm our approach and/or some settings for me. We have a case open with TAC but unfortunately it is difficult to get downtime to work this out so I hope someone here has some experience with a similar scenario.

We have a 3rd party peer VPN where we would like to tunnel all traffic back through our CheckPoint GW so that the devices behind the peer can reach internal destinations on our LAN as well as the Internet. Essentially they will be acting like a satellite office which should be simple enough.

The third party has set their remote encryption domain to be 0.0.0.0/0. On our side, however, attempting to use 0.0.0.0/0 as our local encryption domain has been problematic with another of our existing tunnels, and so we have reverted to 10.0.0.0/8 on our side, and at the moment our proposals won't match exactly.

The questions I hope people here have the experience to answer are:

1) Is this scenario handled simply by changing the VPN routing to "to center or through the center to other satellites, to Internet and other VPN targets" (and controlling traffic via access policy) or do we need to accommodate the 0.0.0.0/0 vpn domain on our local side somehow?

2) do we need a group with exclusions locally when their side is part of the 10.0.0.0/8 space or is this handled smartly by the gateway since the remote encryption domain is defined?

3) TAC recommended going to one tunnel per gateway pair - along with the VPN routing setting this seems to make sense to keep the number of tunnels down - are their any other implications of doing this?

Thanks