- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- IPSEC Star Community - Access resources on the sam...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPSEC Star Community - Access resources on the same Public IP configured on the interoperable Device
Hi There,
I consider this a strange request, but will outline the situation.
Star Based IPSEC VPN Community, which is working perfectly fine to external 3rd party. VPN Community is built so client private /16 and external party private /27 can communicate. Essentially the 3rd party use the tunnel to keep printing traffic encrypted to client printers.
Currently, users access 3rd party web portal by an A record with public IP address that differs to the PIP that the Interoperable Device is configured with. Therefore this access is across the native internet, but does passthrough the checkpoint firewall that also peer's the IPSEC Tunnel.
The 3rd party, now wants WebGUI access for users to use an A Record that resolves to the same PIP as the interoperable Device. This access currently does not work.
Firewall logging indicates that this traffic attempts to be encrypted across the VPN Community. Eventually it generates an IKE failure "No Response to Peer" I have attached the 1st log of the communication. Trace Route from client site stops at the Checkpoint Firewall.
I don't know if some of my config is wrong in the VPN community or if this is just an expected outcome. I have limited knowledge, of the 3rd party networking configuration, to yet make the suggestion of using split-brain DNS and resolving the A record to a private IP covered by the VPN Community.
Any advise or assistance would be appreciated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Peer IP is always excluded in the encryption domain by default on Check Point.
This causes issues with non-Check Point devices.
Scenario 3 of the following SK discusses this: https://support.checkpoint.com/results/sk/sk108600