Re: Encryption Domains that are External IPs

sx8n20394 · ‎2025-02-27

Appliance : Locally Managed QS 1535

Firmware r81.10.10

I need to setup a S2S VPN with a customer. They have a requirement that all encryption domains are WAN IP addresses. I have a range of 5 addresses but only 1 is used which is the WAN interface of my firewall. Do I just tell them my peer and encryption domains are x.x.x.x/32 (same IP)? Also, can I safely assume I should uncheck disable NAT in the site tunnel settings?

PhoneBoy · ‎2025-02-28

Sounds like the right answer on both counts.
Note that your local Encryption Domain should include the hosts that you want to communicate through the VPN.

sx8n20394 · ‎2025-02-28

The network is simple. I have my WAN IP (lets call it 99.1.1.1) and a simple 192.168.1.0/24 local network. I am used to setting up VPNs where the encryption domains are local IP subnets. In this case the vendor will not allow local IPs in my encryption domain, they have to be WAN IPs. In my case, we only utilize 1 WAN IP. I will just go ahead and tell them to use my WAN IP (ex. 99.1.1.1) as the peer and encryption domain and see what happens.

PhoneBoy · ‎2025-03-06

The local Encryption Domain tells the gateway what traffic to encrypt and must include hosts you wish to traverse the VPN.
As long as you've enabled NAT is enabled in the VPN configuration (i.e. untick the relevant box), the remote end can use the public IP only as your encryption domain.

sx8n20394 · ‎2025-03-06

Thanks for the advice but it still doesn't work. The tunnel actually came up at one point but then went down after IPSEC Phase 2 rekeyed after 60 minutes. I then got the same error Traffic Selectors Unacceptable again.

Duane_Toler · ‎2025-03-06

In addition to everyone else's comments, you also need to include the original hosts inside your network (this is needed to trigger the VPN negotiation). Verify the NAT policy also will contain appropriate rules for the inside hosts to have NAT applied (you could also NAT the internal hosts to another external host other than your gateway's own IP, if you wanted). The original 192.168.1.x hosts AND the NAT IP needs to be in your VPN domain for your side. The remote side only needs your NAT IP.

This is what's causing your rekey to fail after 60 minutes.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

sx8n20394 · ‎2025-03-06

I just let the Checkpoint select the local domain automatically so I would assume it is doing that. Also, I am afraid of changing the local encryption domain globally (locally managed, no smart-1) and not being able to setup future S2S VPNs. Note, I did change it globally to manually managed and still no luck.

the_rock · ‎2025-02-28

If NAT is needed, then dont check disable nat inside vpn community object.

Andy

the_rock · ‎2025-02-28

Also, dont check option to exclude external IP from vpn domain, its on vpn domain tab under topology or network (cant remember now exactly) when you edit gw object in smart console.

Andy

sx8n20394 · ‎2025-03-06

Unfortunately this is just a locally managed device with no smart console.

the_rock · ‎2025-03-06

I suggest involving TAC.

Andy

sx8n20394 · ‎2025-03-06

I did. I have had 2 different cases opened (including 1 currently open) and haven't gotten any solid answers or solutions. The situation is now critical because this is for a client. I will just hold my breath and hope something good happens.

Are you a member of CheckMates?

Encryption Domains that are External IPs