@Wolfgang I have a TAC open but they have not commented on whether or not the solution I outlined should be configured.
We inquired about this a while ago and @Anatoly mentioned the management interface (magg0) was not required when running in gateway mode, and any interface can be used for management. We haven't had a requirement to address this until now.
I've reviewed sk44978 which does describe the issue.
Of the 2 scenarios outlined in the SK it links to - sk33822 - scenario 1- seems to be the only solution. This entails configuring the gateway to use a FQDN as the Main Mode ID type instead of the default IP address.
This is also a per gateway change which will apply to all connections. It cannot be configured per VPN community (we previously asked TAC about this and they advised an RFE would be required)
There will be impact to existing 3rd party VPN gateways that are using IP address as the Main Mode ID type. As part of this change, we would need to ensure existing 3rd party gateways support FQDN as the Main Mode ID type and if they are able to implement the change on their end. If they can, we’d need to coordinate the change with each 3rd party to minimize disruption.
The SK states the IDs are not necessary for Checkpoint gateway. TAC are advising us that Checkpoint to Checkpoint VPNs will indeed be impacted. Considering the requirement that both sides authenticate using the same ID method and ID values, as the sites where we have a requirement to change the main mode type on have VPNs to the majority of our internal sites, we would need to change the main mode type to FQDN on all gateways that have VPNs between them.
Based on this, would it not be easier to remove the dedicate management interface from the configuration?
We have since deployed a couple of Maestro environments without a management interface which are operating fine.