cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

How do I change the local id for an IKEv2 IPsec VPN?

Hi,

I'm using a Checkpoint VSX with R77.30, configuring it via SmartConsole.

There I have set up an IPsec VPN with IKEv2 to a Cisco device.

The peer is telling me that he gets an odd remote-id for this VPN, so that I have investigated this using `vpn debug trunc` and looking into $FWDIR/log/ikev2.xmll afterwards. There I found the following:

less $FWDIR/log/ikev2.xmll

...
<Exchange serial="71386" Peer="ipsec-peer" Dir="Outbound" Type="Authentication">
<peerIP>1.2.3.4</peerIP>
<Message Valid="Yes" Initiator="Yes" Response="No" higherVer="No">
<arrivalTime>2018-12-10T20:17:59</arrivalTime>
<MsgID>1</MsgID>
<initSPI>d6f9fd7e1034a6cd</initSPI>
<respSPI>3ab383fc5bf849bd</respSPI>
<Next>Encr</Next>
<Version>2.0</Version>
<Type>Authentication</Type>
<Length>320</Length>
<Payloads>
<Payload Type="IDi" Next="Auth" Length="12" Critical="No">
<Type>IPV4_ADDR</Type>
<Data>9.a.b.c</Data>
</Payload>
...

The remote-id that the peer mentioned is my local-id (IDi) in the debug file (9.a.b.c). This is the address of the management interface of the Checkpoint.

What I want to configure instead of 9.a.b.c is the address of the outgoing interface (5.6.7.8). I have looked up the VPN Administration Guide for R77 Versions but didn't find an answer.

Can anyone help me?

Thanks,

Mathias

Tags (3)
0 Kudos
3 Replies
Admin
Admin

Re: How do I change the local id for an IKEv2 IPsec VPN?

Do you have Link Selection configured with the correct IP Address?

This is set here:

After you've done this, renew the VPN certificate and install policy:

0 Kudos

Re: How do I change the local id for an IKEv2 IPsec VPN?

I tried this but it didn't resovle the issue. 

0 Kudos
Maarten_Sjouw
Platinum

Re: How do I change the local id for an IKEv2 IPsec VPN?

Which choice did you make, the main IP or the actual external interface IP?

Regards, Maarten
0 Kudos