topic Re: Site to site VPN - Not using ID_IPV4_ADDR as IKE ID in Firewall and Security Management

Site to site VPN - Not using ID_IPV4_ADDR as IKE ID

Michael_Horne — Thu, 18 Mar 2021 17:16:04 GMT

Hello All,

Is it possible on a Checkpoint Security Gateway to use something else besides an IP address is the IKE ID?

We are partnering with a 3rd Party that use a Sonic Firewall. For there configuration options it is select the IKE ID for Phase 1 as IP address, but also a domain or and email address format.

Under the Link Selection options, all we have is various options that can be used to determine what IP Address to select as the IKE ID.

There are reasons to do with failover between two Site to Site VPN tunnels, that cause us to now want to use the local public IP address. Each IPsec connection from our sites to the partner should use the same IKE ID, for the failover to be automatic on their end.

Regards,

Michael

Re: Site to site VPN - Not using ID_IPV4_ADDR as IKE ID

PhoneBoy — Thu, 18 Mar 2021 20:13:08 GMT

You can use FQDN.
See option 2 here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk108600&partition=Advanced&product=IPSec

Re: Site to site VPN - Not using ID_IPV4_ADDR as IKE ID

Michael_Horne — Fri, 19 Mar 2021 10:13:27 GMT

Thank you very much for the information. I forgot this SK exists!

Since we are setting environment variables, this would affect all VPN tunnels on the security gateway, correct?

Many thanks,

Michael

Re: Site to site VPN - Not using ID_IPV4_ADDR as IKE ID

MartinTzvetanov — Fri, 19 Mar 2021 12:46:23 GMT

When I was on a Checkpoint training the instructor said it's possible to use fqdn and ip based s2s vpn and you have to ask the support how to do it. This was 5 years ago and I don't remember if there is an sk how to do it by your own, so open a case and ask the support.

Re: Site to site VPN - Not using ID_IPV4_ADDR as IKE ID

PhoneBoy — Sat, 20 Mar 2021 06:39:39 GMT

Believe so, yes.