- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix! 
All Videos In One Space
Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hi,
I have recently encountered a somewhat annoying behavior on an IPSec VPN tunnel between a 3100 appliance running Gaia R80.30 and a Zyxel USG 60
Topology is somewhat simple: Checkpoint with internal LAN behind it, attempting communication through IPSec VPN with a NAT-ed LAN behing a Zyxel USG at customer side (the NAT comes due to address restrictions in my Checkpoint environment).
LAN3 cannot be migrated to LAN2 range due to limited onsite resources. Checkpoint doesn't know anything of LAN3 range (and shouldn't, as that is what the customer is NATing to on their side).
Here comes the fun part:
- LAN3 hosts accessing LAN1 servers works fine for permitted services.
- LAN1 hosts accessing LAN2 IP addresses (which are NATed to LAN3 range) are rejected with IKE Failure - "encryption failure: Error occurred" message
NAT definitions and access policies on USG have been checked, rechecked, defined and redefined - what am I missing?
I'm running IKEv1 and the higher encryption - tried lowering it as well but without success (shouldn't be the one causing this anyway)
I'll take any suggestions I can get, I'm running out of ideas on my own 🙂
Thank you!
