My external address is (for example) 194.1.1.1, the tunnel is set from 86.1.1.1, the internal address of the desired network is 172.17.0.0 in the tunnel settings, on the other hand my network is 192.168.1.0. There is no ping. I turn off the tunnel - there is a ping on 86.1.1.1. I allow the addresses 86.1.1.1 and 172.0.0.0 in the policies - there is no ping.

What shows up in the logs when you attempt to do this ping?
Have you done any troubleshooting with tcpdump and similar to see if traffic is actually being encrypted and sent to the remote end?

Precise configuration steps taken (with screenshots) would go a long way towards helping you solve the issue.

when I ping 172.17.0.172 - the log is empty.
if you can write the exact tunnel setup to get from the network 192.168.1.0 to 172.17.0.0?

https://sc1.checkpoint.com/documents/SMB_R80.20.60/AdminGuides/Locally_Managed/EN/Topics/Configuring...

I did everything in your link, but it still doesn't work.
I have in the device-routing section - when creating a new route, the next hop vti (tunnel) is not active.

this is normal?

What is the remote end of the VPN in this case?
What precisely (with screenshots) have you configured on your end?
If you don't want to share this publicly, I recommend working with our TAC.
Also, for debugging, see: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

on my side, a tunnel is configured to address 194.1.1.1. its internal network is 172.17.0.0. On its side is my address 86.1.1.1. and my internal network is 192.168.0.0. In the tunnel settings, ipsec is specified - the tunnel is active.
But, there is no ping to the address 194.1.1.1, I turn off the tunnel - there is a ping.
In politicians allowed everything to the address 194.1.1.1. and 172.17.0.0.
What else needs to be done?

I am sorry I have not looked up the entire configuration but are you trying to ping peer IP from your firewall which is establishing a VPN tunnel? And if so then you wont be able to as a design. You can probably excldue echo-request from the VPN community and try?

my configuration

Yes - It wont be able to ping peer IP address for VPN.

why, please tell me the solution?

As I said you can create a custom tunnel with crypt.def and exclude the peer IP since this is known and documented solution or exclude echo-request from tunnel but this way no one will be able to ping through tunnel.

We automatically include the Peer IP as part of the encryption domain on our end.
It’s covered in scenario 3 here: https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eve...

If this SMB device is self-managed, you can apply the same fix.
However, getting it to be effective will mean making a change to the access policy or forcing it via the CLI (forget the exact command for this).

Just curious, what happens if you trace route to that IP? Does it even take any hops? If you say it works without VPN, can you send us the path you get?

Yes that is right!! It never goes out. It drops the connection

I ask you to be condescending, I'm just starting to master checkpoint1590,

tell me what exactly I need to do to set it up, step by step?

Hey @Dmitryfd ,

No one is condescending, we are simply doing our best to help you. @Blason_R actually gave good suggestion. I believe he was referring to below article:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

But, can you please answer what I asked before if you dont mind? It would be good if we could see trace route to that external IP through the tunnel and when it works.

Andy

@the_rockhas given the correct link and @Dmitryfd as I said unfortunately its not possible without those efforts. I am not sure how do you exclude the IP address from community the way we do it on mgmt server. I use to do the same way. exclude the echo-request from vpn community and then PING if that succeed then add it in community again.

Or here is one more trick. NAT the traffic going to PEER IP Address behind other IP and you should be able to ping to Peer IP like this

Lets suppose your encryption domain is 10.1.1.0/24

FW IP is 1.1.1.1

Peer IP is 2.2.2.2

Then nat one of the IP fro 10.1.1.0 like 10.1.1.100 behind 1.1.1.2 - Since now 1.1.1.2 and 2.2.2.2 is not a part of vpn tunnel you should be able to ping from encryption domain.

Good point indeed. Something slightly unrelated, but pretty cool feature in R81.20

Something came to my mind about this...apologies, I dont deal with those SMB appliances much, so forgive me for my ignorance, but I wonder if it gives you ability to create groups with exclusions that you can use as enc domain? If so, I have a good feeling that may work.

Gentlemens, unfortunately, my knowledge does not allow me to quickly and fully immediately implement all the tips.
Thank you for your help. I will study your answers.
Thanks again.

Message me, lets do quick remote, I will help you.

how can you connect?
maybe through anydesk?

I dont like using anydesk, sorry, not a trusting software for me. Zoom or webex is fine.

Do you offer video conferencing connection?

Why cant we simply do zoom or webex? We dont need video conferencing lol

provide a link to the webex-client?