This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
mikefarmer
Explorer
‎2025-06-16 10:40 PM
Jump to solution

VPN Mesh over Starlink

I have a VPN mesh between multiple Check Point devices.  The last device which sits behind a Starlink internet route will not establish VPN connection even when aggressive mode is enabled.  Debug is showing me that the IKE identifier is FFFFFF and not the name of the firewall. 

0 Kudos
1 Solution

Accepted Solutions
oa_munich
Contributor
‎2025-06-17 10:56 AM
Jump to solution

Are you trying to connect via IPv4? If so, Starlink offers two IPv4 policies, "default" and "public":
- The default IPv4 configuration uses Carrier-Grade Network Address Translation (CGNAT) using private address space from the 100.64.0.0/10 prefix assigned to Starlink clients via DHCP - you are sharing one public IP address with multiple other clients, you can NAT to the outside world, but not back
- The Starlink public IPv4 policy is an optional configuration available to Local and Global Priority customers. A public IPv4 is reachable from any device on the Internet and is assigned to Starlink network clients using DHCP.

You have two options, become a priority customer and switch to the "public" policy OR connect via ipv6 - Starlink provides a /56 prefix.

https://www.starlink.com/support/article/13f0056c-6f6d-5a55-623c-fe94ad9947c5

View solution in original post

3 Replies
PhoneBoy
Admin
Admin
‎2025-06-17 08:53 AM
Jump to solution

If Starlink is somehow modifying/corrupting the IKE packets, not sure there's much we can do on our end.

0 Kudos
oa_munich
Contributor
‎2025-06-17 10:56 AM
Jump to solution

Are you trying to connect via IPv4? If so, Starlink offers two IPv4 policies, "default" and "public":
- The default IPv4 configuration uses Carrier-Grade Network Address Translation (CGNAT) using private address space from the 100.64.0.0/10 prefix assigned to Starlink clients via DHCP - you are sharing one public IP address with multiple other clients, you can NAT to the outside world, but not back
- The Starlink public IPv4 policy is an optional configuration available to Local and Global Priority customers. A public IPv4 is reachable from any device on the Internet and is assigned to Starlink network clients using DHCP.

You have two options, become a priority customer and switch to the "public" policy OR connect via ipv6 - Starlink provides a /56 prefix.

https://www.starlink.com/support/article/13f0056c-6f6d-5a55-623c-fe94ad9947c5

PhoneBoy
Admin
Admin
‎2025-06-17 11:37 AM
In response to oa_munich
Jump to solution

Thanks for sharing.
Doesn't seem that Starlink is very VPN friendly.
That could be a function of CGNAT for IPv4, though.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events