Create a Post
Showing results for 
Search instead for 
Did you mean: 

How do I change the local id for an IKEv2 IPsec VPN?


I'm using a Checkpoint VSX with R77.30, configuring it via SmartConsole.

There I have set up an IPsec VPN with IKEv2 to a Cisco device.

The peer is telling me that he gets an odd remote-id for this VPN, so that I have investigated this using `vpn debug trunc` and looking into $FWDIR/log/ikev2.xmll afterwards. There I found the following:

less $FWDIR/log/ikev2.xmll

<Exchange serial="71386" Peer="ipsec-peer" Dir="Outbound" Type="Authentication">
<Message Valid="Yes" Initiator="Yes" Response="No" higherVer="No">
<Payload Type="IDi" Next="Auth" Length="12" Critical="No">

The remote-id that the peer mentioned is my local-id (IDi) in the debug file (9.a.b.c). This is the address of the management interface of the Checkpoint.

What I want to configure instead of 9.a.b.c is the address of the outgoing interface ( I have looked up the VPN Administration Guide for R77 Versions but didn't find an answer.

Can anyone help me?



Tags (3)
0 Kudos
5 Replies

Do you have Link Selection configured with the correct IP Address?

This is set here:

After you've done this, renew the VPN certificate and install policy:

0 Kudos

I tried this but it didn't resovle the issue. 

0 Kudos

Which choice did you make, the main IP or the actual external interface IP?

Regards, Maarten
0 Kudos

Hi all,

We have selected here "Selected address from topology table" and used the externalIP.
The Gateway Object was defined with the RFC1918 IP (InternalIP).

It seems that IKEv2 is not using the setting in "Link Selection", it uses the "General Properties" IPv4 Address.
We tried many settings but IKEv2 is always using as the IDi the Gateway IPv4 Address.

Does someone know how to change this without chaning the IPv4 Object IPv4?


0 Kudos


I have this problem to and I found the sk44978 "Check Point gateways always send main IP address as IKE Main Mode ID" that I thought explained it:

Then I was confused again when I got to the bottom of the solution as it states: 

"For R80.30:

In R80.30, Check Point gateways no longer use the main IP of the gateway as IKE ID, when using IKEV2, and when link selection is configured to use another interface than the main IP (which is the default)."

I have currently experiencing this problem and we are running R80.30, We have the gateway explicitly configured to use the external public IP address:



In the ikemonitor.snoop capture that we took, it is clear to see that the ID is set the main IP of the firewall cluster:


The Cisco router terminating the site to site IPsec has to match the for the connection to be successful

Should this truly be fixed in R80.30, or is the SK mistaken?