This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
sx8n20394
Explorer
a week ago

Encryption Domains that are External IPs

Appliance : Locally Managed QS 1535

Firmware r81.10.10

I need to setup a S2S VPN with a customer. They have a requirement that all encryption domains are WAN IP addresses. I have a range of 5 addresses but only 1 is used which is the WAN interface of my firewall. Do I just tell them my peer and encryption domains are x.x.x.x/32 (same IP)? Also, can I safely assume I should uncheck disable NAT in the site tunnel settings?

Labels
0 Kudos
11 Replies
PhoneBoy
Admin
Admin
a week ago

Sounds like the right answer on both counts.
Note that your local Encryption Domain should include the hosts that you want to communicate through the VPN.

0 Kudos
sx8n20394
Explorer
a week ago
In response to PhoneBoy

The network is simple. I have my WAN IP (lets call it 99.1.1.1)  and a simple 192.168.1.0/24 local network. I am used to setting up VPNs where the encryption domains are local IP subnets. In this case the vendor will not allow local IPs in my encryption domain, they have to be WAN IPs. In my case, we only utilize 1 WAN IP. I will just go ahead and tell them to use my WAN IP (ex. 99.1.1.1) as the peer and encryption domain and see what happens. 

0 Kudos
PhoneBoy
Admin
Admin
Thursday
In response to sx8n20394

The local Encryption Domain tells the gateway what traffic to encrypt and must include hosts you wish to traverse the VPN.
As long as you've enabled NAT is enabled in the VPN configuration (i.e. untick the relevant box), the remote end can use the public IP only as your encryption domain.

0 Kudos
sx8n20394
Explorer
Thursday
In response to PhoneBoy

Thanks for the advice but it still doesn't work. The tunnel actually came up at one point but then went down after IPSEC Phase 2 rekeyed after 60 minutes. I then got the same error Traffic Selectors Unacceptable again.

0 Kudos
Duane_Toler
Advisor
Thursday
In response to sx8n20394

In addition to everyone else's comments, you also need to include the original hosts inside your network (this is needed to trigger the VPN negotiation).  Verify the NAT policy also will contain appropriate rules for the inside hosts to have NAT applied (you could also NAT the internal hosts to another external host other than your gateway's own IP, if you wanted).  The original 192.168.1.x hosts AND the NAT IP needs to be in your VPN domain for your side.  The remote side only needs your NAT IP. 

This is what's causing your rekey to fail after 60 minutes.

0 Kudos
sx8n20394
Explorer
Thursday
In response to Duane_Toler

I just let the Checkpoint select the local domain automatically so I would assume it is doing that. Also, I am afraid of changing the local encryption domain globally (locally managed, no smart-1) and not being able to setup future S2S VPNs. Note, I did change it globally to manually managed and still no luck.

0 Kudos
the_rock
Legend
Legend
a week ago

If NAT is needed, then dont check disable nat inside vpn community object.

Andy

0 Kudos
the_rock
Legend
Legend
a week ago

Also, dont check option to exclude external IP from vpn domain, its on vpn domain tab under topology or network (cant remember now exactly) when you edit gw object in smart console.

Andy

0 Kudos
sx8n20394
Explorer
Thursday
In response to the_rock

Unfortunately this is just a locally managed device with no smart console.

0 Kudos
the_rock
Legend
Legend
Thursday
In response to sx8n20394

I suggest involving TAC.

Andy

0 Kudos
sx8n20394
Explorer
Thursday
In response to the_rock

I did. I have had 2 different cases opened (including 1 currently open) and haven't gotten any solid answers or solutions. The situation is now critical because this is for a client. I will just hold my breath and hope something good happens.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events