https://community.checkpoint.com/t5/Firewall-and-Security-Management/R81-20-IPSEC-Tunnel-with-Zscaler/m-p/194605#M36237 <P>I m trying to find the scenario which is relevant to me but one thing i dont understand is why i am not able to ping the zscaler endpoint once i put my cluster in the vpn community.&nbsp;</P> Tue, 10 Oct 2023 04:51:10 GMT LostBoY 2023-10-10T04:51:10Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/R81-20-IPSEC-Tunnel-with-Zscaler/m-p/194575#M36226 <P>I setup an IPSEC Tunnel in Fortinet FWs with Zscaler and it works fine. Now i am trying to do the same in a similar environment with CP 81.20 Cluster.IPSEC tunnel is not working and one problem i noticed is that once i enable the VPN Community i no longer can ping Zscaler endpoints with which the tunnel needs to be stablished. They ping perfectly fine from the GW when i remove the CP CLuster from VPN Community.</P><P>Is this expected behaviour in Checkpoint ? Shouldnt the endpoints be reachable even if they are part of the community ? is there any other step i need to do in order to reach the Zscaler endpoints.</P><P>Thanks</P> Mon, 09 Oct 2023 20:15:31 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/R81-20-IPSEC-Tunnel-with-Zscaler/m-p/194575#M36226 LostBoY 2023-10-09T20:15:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/R81-20-IPSEC-Tunnel-with-Zscaler/m-p/194580#M36227 <P>You may want to do captures or zdebung to see why it fails, but sounds like it could be one of the scenarios from below sk.</P> <P>Andy</P> <P><A href="https://support.checkpoint.com/results/sk/sk108600" target="_blank" rel="noopener">https://support.checkpoint.com/results/sk/sk108600</A></P> Mon, 09 Oct 2023 21:29:15 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/R81-20-IPSEC-Tunnel-with-Zscaler/m-p/194580#M36227 the_rock 2023-10-09T21:29:15Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/R81-20-IPSEC-Tunnel-with-Zscaler/m-p/194583#M36228 <P>I presume you set this up per:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk174848" target="_blank">https://support.checkpoint.com/results/sk/sk174848</A>?</P> Mon, 09 Oct 2023 22:18:46 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/R81-20-IPSEC-Tunnel-with-Zscaler/m-p/194583#M36228 PhoneBoy 2023-10-09T22:18:46Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/R81-20-IPSEC-Tunnel-with-Zscaler/m-p/194602#M36236 <P>Yes..i followed this precisely</P> Tue, 10 Oct 2023 02:18:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/R81-20-IPSEC-Tunnel-with-Zscaler/m-p/194602#M36236 LostBoY 2023-10-10T02:18:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/R81-20-IPSEC-Tunnel-with-Zscaler/m-p/194605#M36237 <P>I m trying to find the scenario which is relevant to me but one thing i dont understand is why i am not able to ping the zscaler endpoint once i put my cluster in the vpn community.&nbsp;</P> Tue, 10 Oct 2023 04:51:10 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/R81-20-IPSEC-Tunnel-with-Zscaler/m-p/194605#M36237 LostBoY 2023-10-10T04:51:10Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/R81-20-IPSEC-Tunnel-with-Zscaler/m-p/194639#M36241 <P>Thankfully i figured out the problem..as it turned out NAT-T is enabled by default on VPN domain.</P><P>As my Cluster isnt behind any NAT device it was unable to negotiate ike phase 2 with NAT-T on.. as soon as i turned it off Tunnel was established successfully.</P><P>Thanks to everyone who replied to this topic.</P> Tue, 10 Oct 2023 09:29:33 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/R81-20-IPSEC-Tunnel-with-Zscaler/m-p/194639#M36241 LostBoY 2023-10-10T09:29:33Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/R81-20-IPSEC-Tunnel-with-Zscaler/m-p/194641#M36243 <P>Good job ✔<span class="lia-unicode-emoji" title=":thumbs_up:">👍</span></P> Tue, 10 Oct 2023 10:10:42 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/R81-20-IPSEC-Tunnel-with-Zscaler/m-p/194641#M36243 the_rock 2023-10-10T10:10:42Z