topic R82 - IKE ID Peer VPN Peer? in Firewall and Security Management

R82 - IKE ID Peer VPN Peer?

StackCap43382 — Tue, 03 Dec 2024 12:28:49 GMT

Hi All,

There is an external HA cluster Whos MAIN IP is a private IP address.

They are experiencing an issue with a S2S VPN Peer rejecting the Peer ID as in IKEv2 the Active member will use the MAIN IP when establishing the VPN.

In R82 I see there is now the enhanced Link Selection feature.

Will this override the MAIN IP and allow us to bypass this limitation of IkeV2 on R81.X?

Is there any other planned features regarding IkeID I am not aware of in R82?

Or is this a question for our SE to answer?

Thanks.

Re: R82 - IKE ID Peer VPN Peer?

the_rock — Tue, 03 Dec 2024 14:04:23 GMT

Thats my understanding as well, it would override main IP, but had not tested it in the lab yet.

Andy

Re: R82 - IKE ID Peer VPN Peer?

LazarusG — Wed, 18 Feb 2026 11:48:59 GMT

I have a ticket for it - peer is asking us to confirm ike-id on enhanced link selection. As far as i can tell will need captures and debugs and offline checking in wireshark and ikeview - then i wonder if BestRoutingSenderIP from sk108600 might be needed? You'd hope it wouldnt be so much of a faff anymore...if im lucky the otherside is a palo and i cant tell the Palo the remote id in the ike gateway peer identification field....i hope...ill let you know 🙂

Re: R82 - IKE ID Peer VPN Peer?

the_rock — Wed, 18 Feb 2026 12:15:08 GMT

Are you using enhanced link selection in R82?

Re: R82 - IKE ID Peer VPN Peer?

RS_Daniel — Wed, 18 Feb 2026 12:35:53 GMT

Hello,

I must say i did not read enhaced link selection docummentation in R82, but below the options we found in the past for this limitation.

If you will use only one external interface for VPN's with third party you could use one of the recommended options from sk44978:

"In SmartConsole, open the Security Gateway object -> IPSec VPN > Link Selection.

Selecting the "Selected address from topology table:" or "Statically NATed IP:" option will affect the IPv4 address used as the IKE ID in Main Mode Packet 5."

However if you use more than one external interface it is not a perfect solution. Another suggestion from Check Point is in sk33822:

"Configure the Security Gateway to work with ID configured to an FQDN"

In this post we received another suggestion to use one VS per external interface so we can use options from sk44978.

IKE Main Mode ID - Check Point CheckMates

HTH.

Regards

Re: R82 - IKE ID Peer VPN Peer?

the_rock — Wed, 18 Feb 2026 12:55:32 GMT

I tried using it with one customer, but we could never make it work. Even had TAC case opened for it, no joy...so for sake of saving time and frustration, we just decided to use old school link selection method and all worked fine.