https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSEC-Star-Community-Access-resources-on-the-same-Public-IP/m-p/184294#M33859 <P>The Peer IP is always excluded in the encryption domain by default on Check Point.<BR />This causes issues with non-Check Point devices.<BR />Scenario 3 of the following SK discusses this:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk108600" target="_blank">https://support.checkpoint.com/results/sk/sk108600</A></P> Mon, 19 Jun 2023 17:31:14 GMT PhoneBoy 2023-06-19T17:31:14Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSEC-Star-Community-Access-resources-on-the-same-Public-IP/m-p/184252#M33849 <P>Hi There,</P><P>I consider this a strange request, but will outline the situation.&nbsp;<BR /><BR />Star Based IPSEC VPN Community, which is working perfectly fine to external 3rd party.&nbsp; VPN Community is built so client private /16 and external party private /27 can communicate.&nbsp; Essentially the 3rd party use the tunnel to keep printing traffic encrypted to client printers.&nbsp;&nbsp;<BR /><BR />Currently, users access 3rd party web portal by an A record with public IP address that differs to the PIP that the Interoperable Device is configured with.&nbsp; Therefore this access is across the native internet, but does passthrough the checkpoint firewall that also peer's the IPSEC Tunnel.&nbsp;&nbsp;<BR /><BR />The 3rd party, now wants WebGUI access for users to use an A Record that resolves to the same PIP as the interoperable Device.&nbsp; This access currently does not work.&nbsp;<BR /><BR />Firewall logging indicates that this traffic attempts to be encrypted across the VPN Community.&nbsp; Eventually it generates an IKE failure "No Response to Peer"&nbsp; &nbsp;I have attached the 1st log of the communication.&nbsp; &nbsp;Trace Route from client site stops at the Checkpoint Firewall.&nbsp;&nbsp;<BR /><BR />I don't know if some of my config is wrong in the VPN community or if this is just an expected outcome.&nbsp; I have limited knowledge, of the 3rd party networking configuration, to yet make the suggestion of using split-brain DNS and resolving the A record to a private IP covered by the VPN Community.&nbsp;<BR /><BR />Any advise or assistance would be appreciated.&nbsp;</P><DIV class="">&nbsp;</DIV><P>&nbsp;</P><P><BR /><BR /></P><P>&nbsp;</P><P>&nbsp;</P> Mon, 19 Jun 2023 05:33:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSEC-Star-Community-Access-resources-on-the-same-Public-IP/m-p/184252#M33849 jfelix 2023-06-19T05:33:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSEC-Star-Community-Access-resources-on-the-same-Public-IP/m-p/184294#M33859 <P>The Peer IP is always excluded in the encryption domain by default on Check Point.<BR />This causes issues with non-Check Point devices.<BR />Scenario 3 of the following SK discusses this:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk108600" target="_blank">https://support.checkpoint.com/results/sk/sk108600</A></P> Mon, 19 Jun 2023 17:31:14 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSEC-Star-Community-Access-resources-on-the-same-Public-IP/m-p/184294#M33859 PhoneBoy 2023-06-19T17:31:14Z