topic Re: Site to site VPN with different local ip in Firewall and Security Management

Site to site VPN with different local ip

nastiakhon — Fri, 09 Jul 2021 04:15:44 GMT

Hello
We have a problem with setting up Site to site VPN for a checkpoint.
The problem is that the provider gave us a range of IP addresses, and we want to set up VPN with different organizations using our different public IP addresses

For example, we were given a range of public IP addresses 20.20.20.0/29. ip address 20.20.20.1/24 is registered on the provider's gateway, ip 20.20.20.2 is registered on the physical interface of our checkpoint. This is the checkpoint gateway. We have 4 IP addresses in stock, these are 20.20.20.3, 20.20.20.4, 20.20.20.5, 20.20.20.6.
Site to site VPN at our address 20.20.20.2 is already configured with organization1
We need to create another Site to site VPN and use the IP address 20.20.20.3 to communicate via VPN with organization 2.

When creating a VPN community as our side, we can select only the address of our gateway, which is registered on the physical interface, this is 20.20.20.2, how can we choose the address 20.20.20.3

Thank you!

Re: Site to site VPN with different local ip

PhoneBoy — Fri, 09 Jul 2021 05:45:52 GMT

The way to change the IP used for Site-To-Site VPN is the Link Selection setting in the gateway object.
Unfortunately you cannot directly specify it per-peer, but you can influence it based on routing out a different interface for different addresses.

Re: Site to site VPN with different local ip

nastiakhon — Fri, 09 Jul 2021 08:29:54 GMT

Thanks for the answer,
It turns out that my VPN, which is already configured, will I need to destroy it? and change the settings on all sides on all VPNs, both on my side and on the remote.
If I specify a new / different IP address in the Link Selection setting in the gateway object, then it will be applied to all my Site-To-Site VPNs.
There may be some alternative way to use different public IP addresses for different Site-To-Site VPNs (from the same subnet from the provider). Maybe I can do this with the help of an alias? Register an alias on the physical interface, and then specify this IP alias in the VPN community like that?

Maybe somehow you can do it with the help of proxy ARP?
Can you please tell me if there is such a possibility?

Re: Site to site VPN with different local ip

PhoneBoy — Sat, 10 Jul 2021 00:07:18 GMT

Any change to the Link Selection settings will impact all configured VPNs.
The only way you can have a different IP is to route the traffic out a different physical interface.
This precludes the use of an interface alias or proxy arp.
Not sure we support having multiple physical interfaces on the same subnet.

One way I know will work is to use VSX (having each VPN terminate on a different VS).