https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-propagation-ClusterXl-members/m-p/275038#M104771 <P>This might be a job for TAC, I don't have the setup to test this at the moment. I'm not aware of any reason why it should or should not work but I also haven't tried it before.</P> Wed, 08 Apr 2026 02:06:25 GMT emmap 2026-04-08T02:06:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-propagation-ClusterXl-members/m-p/274953#M104756 <P>It became necessary to establish a connection between PDP and PEP in Identity Sharing mode from the interfaces of ClusterXL members. In short, the analogue of the cause of sk63264.<BR />Is it possible?<BR />The need is that some of the equipment must work via Route-Based IPsec, and, as it turned out, NAT is not possible with vti/vpnt.<BR />Maybe there is an option to set a source IP to establish a connection?</P> Tue, 07 Apr 2026 05:08:23 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-propagation-ClusterXl-members/m-p/274953#M104756 akurtasanov 2026-04-07T05:08:23Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-propagation-ClusterXl-members/m-p/274957#M104757 <P>You want to change the IP address being used for ID sharing? We can do that:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk60701" target="_blank">https://support.checkpoint.com/results/sk/sk60701</A></P> <P>&nbsp;</P> Tue, 07 Apr 2026 05:30:27 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-propagation-ClusterXl-members/m-p/274957#M104757 emmap 2026-04-07T05:30:27Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-propagation-ClusterXl-members/m-p/274967#M104758 <PRE class="">I saw this SK. Ithink It doesn't quite fit. The following is required.<BR />There is an Identity Sharing Gateway.<BR />A cluster with a VIP main IP of 172.21.56.1 connects to it. NAT is created. When accessing through regular interfaces via the backup ethxx channel, everything is fine. But when accessing via IPsec, the traffic doesn't follow the NAT rule. Traffic from the VPN simply ignores the NAT and goes from the VPN's src IP (let's say 192.168.1.1 ClusterMemberA, 192.168.1.2 ClusterMemberB). And the output I get is the situation described in sk63264 - Identity Sharing GW with two Incoming sessions from 192.168.1.1 and 192.168.1.2.</PRE><P>&nbsp;</P> Tue, 07 Apr 2026 08:24:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-propagation-ClusterXl-members/m-p/274967#M104758 akurtasanov 2026-04-07T08:24:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-propagation-ClusterXl-members/m-p/274975#M104759 <P>Does your VTI have a VIP configured in SmartConsole?</P> Tue, 07 Apr 2026 09:44:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-propagation-ClusterXl-members/m-p/274975#M104759 emmap 2026-04-07T09:44:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-propagation-ClusterXl-members/m-p/274978#M104760 <P>Yes. Explicit Hide rule. NAT doesn't work.</P><P>There is a backup plan to simply connect directly to the collector becasue it initiates connection, but I would like to try to make the current configuration work.</P> Tue, 07 Apr 2026 10:24:58 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-propagation-ClusterXl-members/m-p/274978#M104760 akurtasanov 2026-04-07T10:24:58Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-propagation-ClusterXl-members/m-p/275038#M104771 <P>This might be a job for TAC, I don't have the setup to test this at the moment. I'm not aware of any reason why it should or should not work but I also haven't tried it before.</P> Wed, 08 Apr 2026 02:06:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-propagation-ClusterXl-members/m-p/275038#M104771 emmap 2026-04-08T02:06:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-propagation-ClusterXl-members/m-p/276267#M105127 <P>According to latest tests, R82.10 supports NAT for vpnt interfaces. But tested only single device.</P> Wed, 29 Apr 2026 17:10:57 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-propagation-ClusterXl-members/m-p/276267#M105127 akurtasanov 2026-04-29T17:10:57Z