topic Re: VPN tunnel without public IP on the External interface in Firewall and Security Management

VPN tunnel without public IP on the External interface

Louis_Poulin — Wed, 10 Apr 2019 17:09:17 GMT

Please consider the following diagram:

The Check Point firewall is a VS on a VSX Cluster running R80.20.

The External interface is assigned a private IP address. But public IP addresses 1.1.1.0/24 are routed to this Check Point firewall.

I need to make a VPN tunnel with a Cisco device with IP 2.2.2.2.

Do you guys have any ideas?

We tried so far to add a dummy interface on the VS that leads to nowhere, but with a Public IP 1.1.1.1. There is a negotiation of the tunnel with the Cisco device, but IKE Phase 1 doesn't go through.

On the Cisco side, we have error messages like:
%CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 1.1.1.1 was not encrypted and it should've been.
ISAKMP: (1075):retransmitting phase 1 MM_KEY_EXCH...

On Check Point's side we have:
Main Mode Sent Notification to Peer: authentication failed

With a public IP address on the external interface, there is no problem.

Re: VPN tunnel without public IP on the External interface

Maarten_Sjouw — Wed, 10 Apr 2019 21:43:16 GMT

You need to use VPN link selection on the VS object and assign the 1.1.1 to a interface and set that interface as the interface to use for the VPN. That should do it, also check that the setting for Source IP Address is set to the selected interface.

Re: VPN tunnel without public IP on the External interface

Louis_Poulin — Thu, 11 Apr 2019 15:30:56 GMT

Thank you!

That solution works.

We had trouble because of duplicate interoperable device objects on the Check Point side… The Cisco device was created twice, but with different Topology.