- Products
- Learn
- Local User Groups
- Partners
- More
Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
I'm looking for some pointers please. I've read through various posts on here about two VPN tunnels but I haven't found anything yet that addresses my scenario.
GW-A on Site 1.
GW-B on site 2.
Managed by the same SmartCenter. Gateways are 3600's. Everything is R81.20 T99
GW-A on site 1 is connected to an ADSL line with a static IP.
GW-B on site 2 is a cluster. Using business Starlink (with a single static IP). This plugs into a Cisco C1111 which picks up the Starlink public IP. The LAN side of the C1111 is RFC1918 via a switch in order to connect both cluster members. The C1111 port forwards everything to the cluster's RFC1918 IP. Default Gateway on the cluster is the LAN side of the C1111. Internet works a treat.
I created a VPN between the sites using VTI. In order to do this I had to set the IPsec "link selection" to use the statically natted IP - the Starlink public IP. That VPN works a treat.
Now we've just got a point-to-point circuit installed - layer 2. So GW-A and GW-B are now joined on different interfaces. GW-A is .1, GW-B is .254 on the same subnet. This works a treat.
I need to VPN between the gateways over the P2P circuit as the primary VPN, and have the Starlink route as a secondary/backup VPN. I'm struggling.
Each VPN on its own works fine, but I can't figure out how to get both up at the same time.
I see a couple of problems I'm struggling to overcome (there may be more?!). In no particular order:
1) I can't create a second VTI in Gaia because the "peer name" is already in use on the first VTI.
2) In order to get the P2P VPN up I need to remove the Starlink IP from Link Selection.
3) If I create interoperable devices for the P2P interfaces and use those names for the VTI, and put them in a community, the logs then fill up with "VTI 'vpnt12' failed to attach: Peer object name not found".
Diagram below to illustrate. The P2P circuit has Telco kit at each end but it's layer 2 so I didn't show the Telco kit on the diagram.
Does anyone know if there's a way to achieve this? Or do I have to forget the idea of a backup VPN via Starlink?
Hi Andy,
Yeah I tried separate interoperable devices but that didn't play nicely... The logs have lot and lots of this (interestingly for both VTI's - 2 and 12, which puzzles me):
I reckon it'd be doable in a different way if both peer IPs were interfaces on GW-B instead of it being behind a NAT device 🙄
| User | Count |
|---|---|
| 17 | |
| 12 | |
| 7 | |
| 6 | |
| 5 | |
| 5 | |
| 4 | |
| 4 | |
| 3 | |
| 3 |
Wed 10 Sep 2025 @ 11:00 AM (CEST)
Effortless Web Application & API Security with AI-Powered WAF, an intro to CloudGuard WAFWed 10 Sep 2025 @ 11:00 AM (EDT)
Quantum Spark Management Unleashed: Hands-On TechTalk for MSPs Managing SMB NetworksFri 12 Sep 2025 @ 10:00 AM (CEST)
CheckMates Live Netherlands - Sessie 38: Harmony Email & CollaborationWed 10 Sep 2025 @ 11:00 AM (EDT)
Quantum Spark Management Unleashed: Hands-On TechTalk for MSPs Managing SMB NetworksFri 12 Sep 2025 @ 10:00 AM (CEST)
CheckMates Live Netherlands - Sessie 38: Harmony Email & Collaboration