Create a Post
Showing results for 
Search instead for 
Did you mean: 

VPN from a non-internet interface


I have been trying to configure a VPN between our Checkpoints (in ClusterXL) to a Juniper SRX with little success.

The situation is that we need to tunnel across the internal network rather than from the internet-facing interface.

How would i configure this on the Checkpoint so that it is listening for IKE on a particular Vlan subinterface rather than the Internet interface?


Thanks for your help.

0 Kudos
3 Replies

The gateway listens on all interfaces for VPN connections, it is not limited to the Internet side of things.
To make sure a specific IP / interface is used for initiating or responding to, a VPN is done by setting up Link selection in the gateway object under IPSEC-VPN.
First you can setup the main IP for the tunnel to use and next to that you can also set the responding IP (in the source settings)
Regards, Maarten


Curious what the effect  is when you specify "Selected address from topology table:".  Does that then limit the VPN connections to only that IP?  If there was a scenario where you needed both an external and internal VPN to terminate on the same gateway, would it be possible to achieve?  If so, how?  Would you need a virtual interface and IP on the gateway to use for all VPN terminations?



0 Kudos

Had a problem exactly like that a little while back, there can be 2 answers to this question, for our situation, all Check Point firewalls managed by the same management server, this does not work, as you cannot tell the other side anything else but the center firewall to connect to. We ended up building 2 VS's to deal with it.
Another situation comes in when, like yours, the satellites are managed by a different management server/third party.
In your situation you can set the source part in link selection to use the routing table of the center gateway.
Regards, Maarten
0 Kudos