https://community.checkpoint.com/t5/General-Topics/VPN-on-Proxy-ARP-IP-Address/m-p/10276#M1453 <HTML><HEAD></HEAD><BODY><P>Many Thanks for your reply. The issue we have is that we already have VPN tunnels on addresses from the topology table and we need a new VPN tunnel on a routed IP (not in topology). I think these are mutually exclusive.</P></BODY></HTML> Fri, 17 Nov 2017 07:45:32 GMT Kurt_Abela 2017-11-17T07:45:32Z https://community.checkpoint.com/t5/General-Topics/VPN-on-Proxy-ARP-IP-Address/m-p/10274#M1451 <HTML><HEAD></HEAD><BODY><P>Dear all,</P><P></P><P>Is it possible to setup a site to site VPN tunnel with a proxied IP address (proxy arp)? i.e. an address which is not on the physical interface?</P><P></P><P>Thanks,</P><P></P><P>K</P></BODY></HTML> Thu, 09 Nov 2017 15:31:21 GMT https://community.checkpoint.com/t5/General-Topics/VPN-on-Proxy-ARP-IP-Address/m-p/10274#M1451 Kurt_Abela 2017-11-09T15:31:21Z https://community.checkpoint.com/t5/General-Topics/VPN-on-Proxy-ARP-IP-Address/m-p/10275#M1452 <HTML><HEAD></HEAD><BODY><P>Yes.</P><P>From the <A href="https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_SitetoSiteVPN_AdminGuide/html_frameset.htm">R80.10 Site-to-Site VPN docs</A>:</P><P></P><BLOCKQUOTE class="jive_macro_quote jive-quote jive_text_macro"><P class="" style="color: #333333; background-color: inherit; text-decoration: none; margin: 6pt 0pt; padding: 0pt;">There are several methods that can determine how remote peers resolve the IP address of the local Security Gateway. These settings are configured in<SPAN>&nbsp;</SPAN><STRONG class="" style="color: inherit; background-color: inherit; font-size: 14px; padding: 0pt;">Security Gateway Properties &gt; IPsec VPN &gt; Link Selection</STRONG>. Remote peers can connect to the local Security Gateway with these settings.</P><P class="" style="color: #333333; background-color: inherit; font-weight: 300; text-decoration: none; margin: 0.5cm 0cm 3pt; padding: 15px 0pt 0pt;">Always Use This IP Address:</P><P class="" style="color: #333333; background-color: inherit; text-decoration: none; margin: 6pt 0pt; padding: 0pt;">Configure a certain IP address that is always used. The options are:</P><UL class="" style="color: #333333; margin-top: 3pt; margin-bottom: 0pt;"><LI class="" style="color: #000000; background-color: inherit; text-decoration: none; text-indent: 0cm; margin: 3pt 0pt 0pt; padding: 0pt;"><STRONG class="" style="color: inherit; background-color: inherit; font-size: 14px; padding: 0pt;">Main address</STRONG><SPAN>&nbsp;</SPAN>- The VPN tunnel is created with the Security Gateway main IP address, specified in the<SPAN>&nbsp;</SPAN><STRONG class="" style="color: inherit; background-color: inherit; font-size: 14px; padding: 0pt;">IP Address</STRONG><SPAN>&nbsp;</SPAN>field on the<SPAN>&nbsp;</SPAN><STRONG class="" style="color: inherit; background-color: inherit; font-size: 14px; padding: 0pt;">General Properties</STRONG><SPAN>&nbsp;</SPAN>page of the Security Gateway.</LI><LI class="" style="color: #000000; background-color: inherit; text-decoration: none; text-indent: 0cm; margin: 3pt 0pt 0pt; padding: 0pt;"><STRONG class="" style="color: inherit; background-color: inherit; font-size: 14px; padding: 0pt;">Selected address from topology table</STRONG><SPAN>&nbsp;</SPAN>- The VPN tunnel is created with the Security Gateway using a selected IP address chosen from the drop down menu that lists the IP addresses configured in the<SPAN>&nbsp;</SPAN><STRONG class="" style="color: inherit; background-color: inherit; font-size: 14px; padding: 0pt;">Topology</STRONG><SPAN>&nbsp;</SPAN>page of the Security Gateway.</LI><LI class="" style="color: #000000; background-color: inherit; text-decoration: none; text-indent: 0cm; margin: 3pt 0pt 0pt; padding: 0pt;"><STRONG class="" style="color: inherit; background-color: inherit; font-size: 14px; padding: 0pt;">Statically NATed IP</STRONG><SPAN>&nbsp;</SPAN>- The VPN tunnel is created using a NATed IP address. This address is not required to be listed in the topology tab.</LI></UL></BLOCKQUOTE><P>That last option is what you're surely looking for.</P></BODY></HTML> Fri, 10 Nov 2017 01:23:01 GMT https://community.checkpoint.com/t5/General-Topics/VPN-on-Proxy-ARP-IP-Address/m-p/10275#M1452 PhoneBoy 2017-11-10T01:23:01Z https://community.checkpoint.com/t5/General-Topics/VPN-on-Proxy-ARP-IP-Address/m-p/10276#M1453 <HTML><HEAD></HEAD><BODY><P>Many Thanks for your reply. The issue we have is that we already have VPN tunnels on addresses from the topology table and we need a new VPN tunnel on a routed IP (not in topology). I think these are mutually exclusive.</P></BODY></HTML> Fri, 17 Nov 2017 07:45:32 GMT https://community.checkpoint.com/t5/General-Topics/VPN-on-Proxy-ARP-IP-Address/m-p/10276#M1453 Kurt_Abela 2017-11-17T07:45:32Z https://community.checkpoint.com/t5/General-Topics/VPN-on-Proxy-ARP-IP-Address/m-p/10277#M1454 <HTML><HEAD></HEAD><BODY><P>Since this is a per-gateway setting (not a per-tunnel setting), I believe you are correct.</P><P></P><P>The way you would meet this requirement today would be using Virtual Systems (VSX).&nbsp;</P><P>You would have a VS (basically a virtual gateway) that has the configuration you desire.</P><P>This VS could enforce the same or different policy, depending on your requirements.</P></BODY></HTML> Fri, 17 Nov 2017 17:07:21 GMT https://community.checkpoint.com/t5/General-Topics/VPN-on-Proxy-ARP-IP-Address/m-p/10277#M1454 PhoneBoy 2017-11-17T17:07:21Z https://community.checkpoint.com/t5/General-Topics/VPN-on-Proxy-ARP-IP-Address/m-p/10278#M1455 <HTML><HEAD></HEAD><BODY><P>Thanks for your suggestions.&nbsp;</P><P></P><P>We have natted internet traffic behind another public ip as a workaround to the issue.&nbsp;</P></BODY></HTML> Thu, 23 Nov 2017 22:48:30 GMT https://community.checkpoint.com/t5/General-Topics/VPN-on-Proxy-ARP-IP-Address/m-p/10278#M1455 Kurt_Abela 2017-11-23T22:48:30Z