I've now setup a test solution which so far seems to work; see below:
Key:
CPMGR = IP address of Checkpoint MGR
CVPN = Central VPN Public IP
RVPN-P = Public IP for Remote VPN Gateway
RVPN-I = Private IP for Remote VPN Gateway
I've recently had to deal with a scenario where a remote CP gateway was behind a Fortigate FW. This firewall serves as a NAT device and therefore the remote Checkpoint gateway (RVPN-I) was allocated a RFC1918 address.
When creating the remote gateway (RVPN-I) clearly the topology would not be aware of the public IP, so in order to solve this you would need to do the following:
Within the remote gateway properties do the following:
Under IPSec VPN > Link Selection select 'Statically NATed IP' and enter the public IP that will be used for VPN traffic.
Note: It's important that you do not have any objects defined for the public IP or it will not work.
Fortigate configuration is below (Configuration based on v6.x version of FG code):
Inbound:
config firewall policy
edit xx
set name "Inbound to Checkpoint RVPN"
set srcintf "Internet"
set dstintf "Internal"
set srcaddr "CVPN"
set dstaddr "RVPN-P"
set action accept
set schedule "always"
set service "IKE" "ESP"
set logtraffic all
set fsso disable
next
edit xx
set name "Outbound to CVPN"
set srcintf "Internal"
set dstintf "Internet"
set srcaddr "RVPN-I"
set dstaddr "CVPN"
set action accept
set schedule "always"
set service "IKE" "ESP"
set logtraffic all
set fixedport enable <--- Important to have this enabled or it will randomise the outgoing port
set ippool enable
set poolname "RVPN-P"
set fsso disable
set nat enable
next
end
I did also have the added complication where the CPMGR is also translated as it leaves the HQMGR, but this deals with management flow traffic. Below are the rules I added on the FG to ensure management traffic worked.
config firewall policy
edit xx
set name "CPMGR to RVPN"
set srcintf "Internet"
set dstintf "Internal"
set srcaddr "CPMGR"
set dstaddr "RVPN-P"
set action accept
set schedule "always"
set service "HTTPS" "SSH" "CP_rtm" "CPD" "CPD_amon" "FW1" "FW1_CPRID" "FW1_ica_push" "FW1_ica_services" "FW1_sam"
set logtraffic all
set fsso disable
next
edit xx
set name "RVPN to MGR"
set srcintf "Internal"
set dstintf "Internet"
set srcaddr "RVPN-I"
set dstaddr "CPMGR"
set action accept
set schedule "always"
set service "CPD" "FW1 "FW1_CPRID" "FW1_ica_pull" "FW1_ica_services" "FW1_log"
set logtraffic all
set ippool enable
set poolname "RVPN-P"
set fsso disable
set nat enable
next
end
Additional I would also suggest doing the following from the RVPN-I gateway to make sure CRL retrieve works.
vpn crlview -obj <MyObj> -cert <MyCert>
If this does not work then troubleshoot as this will cause the VPN to go down.