Management General Management Topics Logging and Reporting Multi-Domain Management Policy Management
- Local User Groups
AI & Machine Learning
I'm using a Checkpoint VSX with R77.30, configuring it via SmartConsole.
There I have set up an IPsec VPN with IKEv2 to a Cisco device.
The peer is telling me that he gets an odd remote-id for this VPN, so that I have investigated this using `vpn debug trunc` and looking into $FWDIR/log/ikev2.xmll afterwards. There I found the following:
<Exchange serial="71386" Peer="ipsec-peer" Dir="Outbound" Type="Authentication">
<Message Valid="Yes" Initiator="Yes" Response="No" higherVer="No">
<Payload Type="IDi" Next="Auth" Length="12" Critical="No">
The remote-id that the peer mentioned is my local-id (IDi) in the debug file (9.a.b.c). This is the address of the management interface of the Checkpoint.
What I want to configure instead of 9.a.b.c is the address of the outgoing interface (18.104.22.168). I have looked up the VPN Administration Guide for R77 Versions but didn't find an answer.
Can anyone help me?
Do you have Link Selection configured with the correct IP Address?
This is set here:
After you've done this, renew the VPN certificate and install policy:
We have selected here "Selected address from topology table" and used the externalIP.
The Gateway Object was defined with the RFC1918 IP (InternalIP).
It seems that IKEv2 is not using the setting in "Link Selection", it uses the "General Properties" IPv4 Address.
We tried many settings but IKEv2 is always using as the IDi the Gateway IPv4 Address.
Does someone know how to change this without chaning the IPv4 Object IPv4?