---
title: "AWS Redundant Tunnels - Transit Gateway"
slug: "aws-redundant-tunnels-tgw"
updated: 2026-04-07T09:02:13Z
published: 2026-04-07T09:02:13Z
canonical: "support.perimeter81.com/aws-redundant-tunnels-tgw"
stale: true
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.perimeter81.com/llms.txt
> Use this file to discover all available pages before exploring further.

# AWS Redundant Tunnels - Transit Gateway

<meta charset="utf-8">

## Introduction

This guide will lead you through establishing redundant VPN tunnels between your Check Point SASE network and your AWS Transit Gateway environment. Creating multiple tunnels helps ensure a higher availability of your network connections.

**Breakdown of topics**

1. Pre-requisites
2. Configuration Steps
3. Verifying the Setup
4. Troubleshooting
5. Support Contacts

## Pre-requisites

To successfully follow this guide, you should have:

1. An active Check Point SASE account and network.
2. <meta charset="utf-8">The Check Point SASE app is installed on your devices.
3. <meta charset="utf-8">An active AWS account with the necessary permissions.

## Configuration Steps

## Create Check Point SASE Gateways

1. Your Check Point SASE Network must have at least two different gateways in the same network, as listed below.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen_Shot_2021-12-21_at_12_22_03_PM.png)

Important notes

- These gateways can be deployed in two separate [Regions](/v1/docs/adding-regions-and-gateways) for comprehensive ISP redundancy.
- The network can be scaled up, and adding another region should not affect the connection.

## Create a Transit Gateway on AWS

Note

- You can skip this step if you already have a Transit Gateway in your AWS region.

1. Under **TRANSIT GATEWAYS,** click **Transit Gateway** and then **Create a Transit Gateway.**  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen_Shot_2021-12-21_at_2_55_02_PM.png)
2. Create a **Transit Gateway** with Default Settings  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Create_transit_gateway___VPC_Management_Console_1_.png)
3. Navigate to **Transit Gateway Attachments** under **VPC**, and create a **Transit Gateway Attachment** for your **VPC.**

## Create two Site-to-Site VPN connections

1. In your **AWS VPC,** under **VIRTUAL PRIVATE NETWORK(VPN),** Click **Site-to-Site VPN Connections**, then **Create VPN Connection.**![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen_Shot_2021-12-21_at_3_32_31_PM.png)
2. Under **Target Transit Gateway,** select the Transit Gateway we created previously, and for **Customer Gateway,** choose **New**.  
Under **IP Address**, enter the first Check Point SASE Gateway IP. **Routing** is **Dynamic (BGP)**.  
The **BGP AS Number** is the ASN you plan to use for the Check Point SASE Network; the default is **64512**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1698093769704.png)
3. Make sure your naming convention makes sense so you can locate and discern between the connections later.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen_Shot_2022-01-10_at_2_48_40_PM.png)
4. Navigate to **Transit Gateway attachments** under *TRANSIT GATEWAYS* and find the **Transit Gateway Attachment** you just created- rename it to something that makes sense to you, like the screenshot below:  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen_Shot_2021-12-22_at_12_56_39_PM.png)
5. Navigate back to **Site-to-Site VPN Connections**and select the VPN connection that got created, then click **Download Configuration.**  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen_Shot_2022-01-10_at_2_48_40_PM(2).png)
6. Be sure to choose **Generic** under Vendor and **Ikev2** for ***Ike Version.***  
![VPN_Connections___VPC_Management_Console.png](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/VPN_Connections___VPC_Management_Console%281%29.png)
7. Download and rename the file **Tunnel1.txt.**
8. Repeat steps **1-6** for the other **Site-to-Site** Tunnel. This time, use the **Second Check Point SASE Gateway IP**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen_Shot_2022-01-10_at_2_43_35_PM(1).png)![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen_Shot_2022-01-10_at_2_57_43_PM.png)
9. Rename the second file you downloaded **Tunnel2.txt.**
10. Make sure to change the naming convention under **Transit Gateway attachments**for this site as well**:**  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen_Shot_2021-12-22_at_1_10_41_PM.png)  
VPC AttachmentTo access your VPC through the redundant connection, you must have a VPC Attachment connected to the Transit gateway.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1682003399209.png)

## Creating the High Availability Check Point SASE Tunnel

1. In Your **Check Point SASE Admin console**, Navigate to your network.
2. Click "..." next to one of the gateways and select **Add Tunnel**.
3. Choose **IPSEC Site-2-Site Tunnel,**then**Continue.![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen%20Shot%202022-01-10%20at%203.08.31%20PM(1).png)**
4. Select **Redundant Tunnels**, and afterward, click**Continue.![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen%20Shot%202022-01-10%20at%203.10.10%20PM.png)**<meta charset="utf-8">
5. Select a logical name for your Tunnel,
  - For example, if your Transit gateway is located in the US-East region of AWS, you could name the tunnel "USEast." If this is your Staging environment, call it "Staging."  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen%20Shot%202022-01-10%20at%203.11.35%20PM.png)
6. Copy the values for the first Tunnel from **Tunnel1.txt:**
  - **Shared Secret:** Pre-Shared Key  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen_Shot_2021-12-21_at_4_03_13_PM.png)
  - **Check Point SASE gateway Internal IP:** Inside IP Addresses of Customer Gateway.
  - **Remote Public IP & Remote ID:** Outside IP Addresses of Virtual Private Gateway.
  - **Remote Gateway internal IP:** Inside IP Addresses of Virtual Private Gateway. The IP on the AWS side has a subnet (/30) that should be discarded when pasting.
  - **Remote Gateway ASN:** BGP Configuration Options of Virtual Private Gateway ASN from the file.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen_Shot_2021-12-21_at_4_04_30_PM(2).png)
  - In the **Tunnel 1**section, specify these:
    - **Gateway**: Check Point SASE Gateway.
    - **Shared****Se****cret**: Character string of your own or click **Generate**.
    - **Check Point SASE Gateway Internal IP** - Check Point SASE Internal IP for tunnel 1.
    - **Remote Public IP** - AWS Gateway external IP.
    - **Remote Gateway Internal IP** - AWS Gateway internal IP.
    - **Remote Gateway ASN**- AWS ASN, 64512.
    - **Site ID**-  ID of the remote tunnel is the public IP of the tunnel.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Tunnel01(1).PNG)
7. In the **Tunnel 2** section, specify these**:**
  - **Gateway**: Check Point SASE Gateway.
  - **Shared****Se****cret**: Character string of your own or click **Generate**.
  - H**armony SASE Gateway Internal IP**- Check Point SASE Internal IP for tunnel 1.
  - **Remote Public IP** - AWS Gateway external IP.
  - **Remote Gateway Internal IP**- AWS Gateway internal IP.
  - **Remote Gateways ASN** - AWS ASN.
  - **Site ID** -  ID of the remote tunnel is the public IP of the tunnel.**![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Tunnel02(1).PNG)**
8. In the**Shared Settings**section, specify these:
  - **Check Point SASE Proposal Subnets**: Leave Any (0.0.0.0/0) selected.
  - **Remote Gateway Proposal Subnets**: Leave Any (0.0.0.0/0) selected.
  - **ASN**- This should be the same for the Check Point SASE side as the Customer Gateway ASN you configured on AWS.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/SharedSetting_Any_Any(1).PNG)
9. In the **Advanced Settings**section, specify these:![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Cisco%20ASA_512_521(4).PNG)
  - **IKE Version:** V2
  - **IKE Lifetime:** 8h
  - **Tunnel Lifetime:** 1h
  - **Dead Peer Detection Delay:** 10s
  - **Dead Peer Detection Timeout:** 30s
  - **Phase 1**:
    - **Encryption****(Phase 1):** aes256
    - **Integrity (Phase 1):** sha512
    - **Key Exchange Method:** ecp521
  - **Phase 2**:
    - **Encryption****(Phase 2):** aes256
    - **Integrity (Phase 2):** sha512
    - **Key Exchange Method:** ecp521
10. Click **Add Tunnel**.

## Creating Static Routes

1. Navigate to **VPC** -> Select the corresponding VPC attached to the Transit Gateway -> Select the **Main Route Table** for the VPC.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen_Shot_2021-12-22_at_2_23_52_PM.png)
2. Edit the main Route Table for the VPC and add the subnet mask of your Check Point SASE network as the destination with the Transit Gateway as the target (Route for reverse traffic).  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen_Shot_2021-12-22_at_2_27_15_PM.png)
  - Please note that this might not be the Main Route Table for the VPC; In that case, you will need to locate each subnet associated with the VPC and add the reverse route for the Check Point SASE internal subnet range.
3. Navigate back to your Check Point SASE network and add the route to the corresponding subnet in AWS.  
You'll want to select "..." next to your network and then **Routes Table**.![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1640192938606.png)
4. Once completed, select "Apply Configuration" and let the route changes propagate on the Check Point SASE side.![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1640193076363.png)  
<meta charset="utf-8">

## Verifying the Setup

Once set up, your redundant tunnels should be active. To confirm, go to your Check Point SASE dashboard, find the tunnels you started, and ensure their status shows "Up". Connect to your network with the Check Point SASE agent and try accessing resources in your AWS environment.

## Troubleshooting

If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.

## Support Contacts

If you have any difficulties or questions, don't hesitate to contact Check Point SASE's support team. We offer 24/7 chat support on our website at [Perimeter81.com](https://www.perimeter81.com/), or you can email us at sase-support@checkpoint.com. We're here to assist you and ensure your VPN tunnel setup is a success.