I am attempting to set up a site to site VPN with a Checkpoint firewall without much success. My end is a failover pair of PIX 515e firewalls running 6.3(5). Both have a 3DES license. My understanding of failover is the primary has an outside address (nnn.mmm.206.130) and the failover PIX has a different outside address (nnn.mmm.206.136) but assumes the primary address (nnn.mmm.206.130) when it acts as primary. For the VPN peer I would use the primary address nnn.mmm.206.130, correct? After failover the tunnel would come back up on the failover box using the primary address nnn.mmm.206.130 as the peer? Thanks.