topic Re: S2S with local VPN Peer static NAT in Firewall and Security Management

S2S with local VPN Peer static NAT

Richard_Cullum — Mon, 23 Jul 2018 11:34:53 GMT

S2S VPN over the Internet. Using public ip addresses as peer addresses. If my Check Point R80.10 gateway external ip address is a private address for BGP peering, can I terminate a S2S VPN on the gateway by using a public ip Static NAT configured on the same gateway? It's quite common to see scenarios where there is a Public<=translates to=>Private NAT device in front of the VPN peer, but does it work if the Check Point VPN peer also does the NAT required as well?

(Check Point R80.10 cluster Private IP<=translate to=>Public NAT) <=VPN connects to => Remote VPN Peer Public IP

Re: S2S with local VPN Peer static NAT

PhoneBoy — Mon, 23 Jul 2018 16:09:06 GMT

I believe so, you would set the appropriate IP in Gateway Object > IPSec VPN > Link Selection.

Re: S2S with local VPN Peer static NAT

Richard_Cullum — Tue, 24 Jul 2018 09:38:18 GMT

Thanks for the above info and I guess that means I can define the statically NATd IP address. But I have found this KB article sk44978 that suggest for IKEv2 , it will always use Main IP. So is IKEv2 problematic where any NAT traversal for a S2S vpn is required?

Re: S2S with local VPN Peer static NAT

PhoneBoy — Tue, 24 Jul 2018 14:10:28 GMT

Forgot about that particular limitation.

Hadn’t heard of specific issues around it, though.

The SK does mention a workaround.