---
title: "Configuring Check Point Maestro VSX Redundant IPsec Tunnel"
slug: "configuring-check-point-maestro-vsx-redundant-ipsec-tunnel"
updated: 2026-04-07T09:02:14Z
published: 2026-04-07T09:02:14Z
canonical: "support.perimeter81.com/configuring-check-point-maestro-vsx-redundant-ipsec-tunnel"
stale: true
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.perimeter81.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configuring Check Point Maestro VSX Redundant IPsec Tunnel

## Introduction

This topic explains how to establish a redundant Site-to-Site VPN tunnel between your Check Point SASE Network and Check Point Maestro VSX Firewall.

## Pre-requisites

- Check Point SASE Administrator Portal account.
- Device with Check Point SASE Agent installed.
- Administrator account with Firewall, Router, and the Cloud Management Portal.
- A Maestro VSX cluster with one or two public IPs.

## Part 1 - Configuration in SmartConsole

### Step 1: Creating Interoperable Device Object in the Check Point SmartConsole

1. Log in to the Check Point SmartConsole.
2. Click **Security Policies**.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-H2TP2HIU.png)
3. In the **Objects** pane, click **New** and select **More > Network Object > More > Interoperable Device**.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-CG9IJ700.png)The **Interoperable Device** popup appears.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-Q2F3OFL1.png)
4. In the **Name** field, enter a name for the Check Point SASE Gateway, for example, *Harmony_SASE_Gateway*.
5. In the **IPv4 Address field**, enter the Check Point SASE Gateway public IP address.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-QF3PC1NQ.png)

To find the Check Point SASE Gateway public IP Address:
  1. Access the Check Point SASE Administrator Portal and click **Networks**.
  2. Select the network.
  3. Go to the **Gateways** section to find the Public IP address for setting up the single IPsec tunnel.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-EMGMETTH.png)
6. Click **OK**.

### Step 2: Adding Check Point SASE Gateway IP Address and Remote Subnet To The Interoperable Device Object

1. Log in to the Check Point SASE Administrator Portal.
2. Click **Networks**.
3. Verify the assigned network:
  1. Select a network, scroll to the end of the row and click ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-S3UW8632.png).
  2. Select **Edit Network**.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-2MO2KXH0.png)
  3. In the**Edit Network** section, check the **Subnet** field to verify the assigned network. The default value is 10.255.0.0/16.
4. Open the Interoperable Device object that you created.
5. Click **Topology > New**. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-VINS6MKF.png)
6. In the **General** tab, enter these:
  1. **Name** – Name of the topology, for example, Check Point SASE Network.
  2. **IP Address** – 10.255.0.0
  3. **Net Mask**– 255.255.0.0 ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-5K20ACXM.png)
7. In the **Topology** tab, select **Internal (leads to the local network)** and then select **Network defined by the interface IP and Net Mask**. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1U9D7QD3.png)

**Note:**

If the gateway is configured with an interface topology that includes a network range or a group overlapping with the encryption domain of the remote VPN peer, incoming decrypted traffic may be seen as coming from the wrong interface. This could trigger anti-spoofing measures, causing traffic to be dropped. To create an anti-spoofing exception, see [sk151774](https://support.checkpoint.com/results/sk/sk157074).
8. Click **OK**.
9. Click **Topology > New**.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-BFPPK09A.png)
10. In the **General** tab, enter these:
  1. **Name** – Name for the topology, for example, Harmony_SASE_Gateway
  2. **IP Address** – Public IP address of the Check Point SASE gateway
  3. **Net Mask** – 255.255.255.255

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-Y5SS1223.png)
11. Click the **Topology** tab, Select **External (leads out to the internet)**.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-4GG8HI4Q.png)
12. Click **OK**.
13. In the **VPN Domain** section, select User defined and click ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-S3UW8632.png).
14. Click **New** and go to **Group > Simple Group**.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-ZAILIZW0.png)The **New Network Group** popup appears.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-27E6HH20.png)
15. In the**Enter Object Comment** field, enter a name, for example, HSASE_VTI, and click **OK**.
16. For the other Check Point SASE Gateway and Check Point Gateway, follow the same procedure in **Creating Interoperable Device Objects in the Check Point SmartConsole and Adding Check Point SASE Gateway IP Address and Remote Subnet To The Interoperable Device Object** sections.
17. Publish and install the policy.

### Step 3: Creating VPN Star community

1. Log in to the Check Point SmartConsole.
2. Click **Security Policies**.
3. Go to **Access Tools > VPN Communities**.
4. Select an object, click **New** and go to **More > VPN Community > Star Community**.

The **New Star Community** popup appears.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-U30Y5MTX.png)
5. In the **Enter Object Name** field, enter an object name for the VPN Star Community, for example, *Harmony_SASE_VPN*.
6. In the Centre Gateways section, click ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1719206404291.png) and add the Maestro Security Group.

The Security Group is added to the table.
  1. Double-click the Maestro Security Group in the table.
  2. In the **VPN Domain** section, select the **Override** checkbox and from the list, select the allow all VPN group.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-HCWPV1LL.png)
  3. In the **Interfaces**section, select the **Override**checkbox and click ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1719206404291.png) .

The **Interface Settings** popup appears.
  4. Specify these:
    1. **External Interface**
    2. **Static NAT IP Address** - The Check Point SASE Gateway public IP address.
  5. Click **OK**.
  6. Click **OK**.
7. In the**Satellite Gateways** section, click ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1719206404291.png) and add the Interoperable Device Object created for the Check Point Gateway. See [Step 1](/v1/docs/configuring-check-point-maestro-vsx-redundant-ipsec-tunnel#step-1-creating-interoperable-device-object-in-the-check-point-smartconsole).
8. Go to **Shared Secret**and click![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1719206470575.png) to edit the shared key.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-UJZ1I421.png)
9. In the **Enter secret**field, enter an appropriate key.![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1719207148308.png)

**Notes:**

  - Check Point recommends that the shared secret key is at least 20 characters in length.
  - Copy the key as it is required while configuring the IPsec Tunnel in the Check Point SASE Administrator Portal.
10. Click **OK**.
11. From the left navigation pane, click **Encryption**and do these:
  1. In the **Encryption Settings** section, from the **Encryption Method**list, select**IKEv2 only**.
  2. In the **Encryption Suite**section, select **Custom encryption suite**.
  3. In the **IKE Security Association (Phase 1)**section:
    1. From the **Encryption Algorithm** list, select **AES-256**.
    2. From the **Data Integrity** list, select **SHA256**.
    3. From the **Diffie Hellman group** list, select **Group 14 (2048 bit)**.
  4. In the **IKE Security Association (Phase 2)**section:
    1. From the **Encryption Algorithm** list, select **AES-256**.
    2. From the **Data Integrity** list, select **SHA256**.
    3. Select **Use Perfect Forward Secrecy**.
    4. From the **Diffie Hellman group** list, select **Group 14 (2048 bit)**.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Image6.png)
12. Go to **Tunnel Management**.
13. In the **Permanent Tunnels** section, select the **Set Permanent Tunnels** checkbox and then select **On all tunnels in the community**.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/PermanentTunnels(2).png)
14. In the **VPN Tunnel Sharing**section, select **One VPN tunnel per Gateway pair**.

**Note:**

Make sure that you enter the remote subnets specified here in the Check Point SASE Administrator Portal. A mismatch can disconnect the tunnel.
15. Go to **Advanced**.
16. In the **IKE (Phase 1)** section, set the **Renegotiate IKE security associations every (minutes)** field to **480**.
17. In the **IPsec (Phase 2)** section, set the **Renegotiate IPsec security associations every (seconds)** field to **3600**.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1719207064571.png)
18. Click **OK**.
19. In the **Properties**section, select the **Disable NAT inside the VPN community**checkbox and from the list, select **Both center and satellite**gateways.
20. Publish and install the policy.

### **Step 4: Additional settings in Check Point SmartConsole**

1. To set up a Check Point firewall policy, add a rule for VPN traffic for the specific VPN Domain in the Check Point SmartConsole.

In the example below, we have created a policy to allow traffic from the Check Point SASE Network 10.255.0.0/16 to specific destinations and services.

**Note:**

The network configuration differs if you have not changed the default settings during Check Point SASE network creation. For testing purposes, you should initially allow any/any or allow ping before making the firewall policy more restrictive.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1719207316980.png)
2. Publish and install the policy.

### **Step 5: Configuring VPN Tunnel Interface and BGP Configuration**

1. Log in to **Gaia Clish** of the **Maestro Security Group**.
  1. Switch to**expert mode**.
  2. Write a script for creating two **VPN Tunnel Interfaces**with these content:

```plaintext
transaction begin

add interface vd <Name of Maestro Security Group> vpn_tunnel numbered peer <Name of Interoperable device of first SASE GW> local <Tunnel Local IP> remote <Tunnel Remote IP> tunnel_id <Tunnel ID>

add interface vd <Name of Maestro Security Group> vpn_tunnel numbered peer < Name of Interoperable device of second SASE GW > local <Tunnel Local IP> remote <Tunnel Remote IP> tunnel_id <Tunnel ID>

transaction end
```

**Local Address** - Internal address for the **Maestro Security Group** (within 169.254.x.x/30 ranges).

**Remote Address** - Internal address for the **Check Point SASE Gateway** (within 169.254.x.x/30 ranges, corresponding to the above).

**Example for script content:**

```plaintext
transaction begin

add interface vd vs-ext vpn_tunnel numbered peer SASE_Frankfurt_1 local 169.254.254.1 remote 169.254.254.2 tunnel_id 1

add interface vd vs-ext vpn_tunnel numbered peer SASE_London_1 local 169.254.254.5 remote 169.254.254.6 tunnel_id 2

transaction end
```
  3. Execute the script through **vsx_provisioning_tool**:

```plaintext
vsx_provisioning_tool -s localhost -u <user name> -f <full path to above script>
```
  4. Verify successful execution of the script.
  5. Exit **expert mode** and connect to the relevant **Maestro Security Group**:
  6. Create a peer group by executing these commands:

```plaintext
set bgp external remote-as <Peer AS Number> on

set bgp external remote-as <Peer AS Number> peer <remote peer IP> on multihop on graceful-restart on

set bgp external remote-as <Peer AS Number> peer <remote peer IP> on multihop on graceful-restart on
```

**Peer AS Numbe**r - The AS Number of the Check Point SASE network. If not set already, enter 64512**.**

**Remote peer IP** – Enter remote IP addresses of the two tunnels created in [step 3](/v1/docs/configuring-check-point-maestro-vsx-redundant-ipsec-tunnel#step-3-creating-vpn-star-community).
  7. Create an inbound route filter by executing these command:

```plaintext
set inbound-route-filter bgp-policy based-on-as as <AS Number> on
```

**AS Number**- The AS Number of the Check Point SASE network.
  8. Create a routes distribution rule by executing these command:

```plaintext
set route-redistribution to bgp-as <AS Number> from static-route all-ipv4-routes on
```

**AS Numbe****r** - The AS Number of the Check Point SASE network.
  9. Save the configuration:

```plaintext
save config
```
2. Log in to the **Check Point SmartConsole**.
  1. Open the **Maestro Security Group Properties**.
  2. Go to **Network Management**.
  3. From the **Get Interfaces**list, select **Get interfaces Without Topology**.
  4. Verify that the two **VPN Tunnel Interfaces** are added.
  5. Publish and install the policy.

## **Part 2 - Configuration in Check Point SASE Administrator Portal**

### **Step 1 : Configuring Tunnel and Routes Table**

1. Access the Check Point SASE Administrator Portal and click **Networks**.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen%20Shot%202021-02-17%20at%2019.31.14(2).png)
2. Select the network.
3. Click ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1719207416268.png).
4. Select **Add Tunnel**for the gateway from which you want to add the IPSec Site-2-Site VPN tunnel.
  1. Click **IPSec Site-2-Site Tunnel** and click **Continue**.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen%20Shot%202022-06-02%20at%205.56.11%20PM.png)
  2. Click **Redundant Tunnels**and****click**Continue.**

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen%20Shot%202022-06-02%20at%205.57.33%20PM.png)
  3. In the **Tunnel name** field, enter a logical name.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/RedundantIPSecTunnels.png)
  4. Expand **Tunnel 1**and specify these:
    - **Shared Secret** – The value previously set on the first star policy.
    - **Check Point SASE Gateway Internal IP** - The remote address of the first Check Point Gateway used under the VTI settings.
    - **Remote Public IP** - The public IP of the Maestro Security Group.
    - **Remote Gateway Internal IP** -The first local address of the Maestro Security Group under the VTI settings.
    - **Remote Gateways ASN** - The ASN of the Maestro Security Group.
    - **Remote ID** - The router ID of the Maestro Security Group used under the BGP settings above.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/CPHQ01.png)
  5. Expand **Tunnel 2**and specify these:
    - **Gateway** - Select the second Check Point SASE Gateway for the tunnel.
    - **Shared Secret** - The value previously set on the second star policy.
    - **Check Point SASE Gateway Internal IP**- The remote address of the second SASE Gateway used under the VTI settings.
    - **Remote Public IP** - The public IP of the Maestro Security Group.
    - **Remote Gateway Internal IP** -The second local address of the Maestro Security Group used under the VTI settings.
    - **Remote Gateways ASN**- The ASN of the Maestro Security Group.
    - **Remote ID -** The router ID of the Maestro Security Group used under the BGP settings above.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/CPHQ02.png)
  6. Expand **Shared Settings**and specify these:
    - **Check Point SASE Gateway Proposal Subnets**- Leave **Any (0.0.0.0/0)**selected.
    - **Remote Gateway Proposal Subnets** - Leave **Any (0.0.0.0/0)**selected.
    - **Autonomous System Number (ASN) -**Default value is **64512**, if not set, enter the AS Number for the Check Point SASE network.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/SharedSetting_Any_Any.PNG)
  7. In the **Advanced Settings** section, specify these:

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/KeyExchangeMethod(1).PNG)
    - **IKE Version:** V2
    - **IKE Lifetime:** 8h
    - **Tunnel Lifetime:** 1h
    - **Dead Peer Detection Delay:** 10s
    - **Dead Peer Detection Timeout:** 30s
    - **Phase 1**:
      - **Encryption(Phase 1):** aes256
      - **Integrity (Phase 1):** sha256
      - **Key Exchange Method:** modp2048
    - **Phase 2**:
      - **Encryption(Phase 2):** aes256
      - **Integrity (Phase 2):** sha256
      - **Key Exchange Method:** modp2048
  8. Click **Add Tunnel**.
5. Select **Routes Table**:

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Pasted_Image_6_6_22__4_18_PM.png)
  1. Click **Add Route.** **T**he **Add Route** popup appears.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1719207709320.png)
  2. Enter all the subnets on the remote side of the tunnel and then click **Add Route**.

**Note:**

Make sure that in the Tunnel list, you have selected the previously entered Tunnel name.
6. Click **Apply Configuration**.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen_Shot_2022-06-06_at_4_20_58_PM.png)

### **Step 2: Verifying the Setup**

Once you complete the above steps, your tunnel should be active.

1. Verify the setup in the Check Point SASE Administrator Portal:
  1. Click **Networks**.
  2. Locate the tunnel you created, and check the tunnel status. It should indicate that the tunnel is **Up**, signifying a successful connection.
2. Verify the setup in the Check Point SASE Agent:
  1. Connect to your network using the Check Point SASE Agent.
  2. Access one of the resources in your environment.

## **Troubleshooting**

If you encounter issues during or after the setup, review your settings to ensure everything matches the instructions. Check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.

## **Support Contacts**

If you have any difficulties or questions, contact Check Point SASE's support team. We offer 24/7 chat support on our website at [sase.checkpoint.com](https://www.sase.checkpoint.com/), or you can email us at sase-support@checkpoint.com.