This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mithu
Contributor
‎2021-03-16 11:39 AM

IPv4 traffic over IPv6 IPSec tunnel

I am not sure this is the correct place to address this requirement..

Recently one of my customer had a requirement to create an IPSec tunnel with their partner company, peer side having only IPv6 public IP address and customer having IPv6 and IPv4 public address, and customer and partner side infrastructure network is utilizing IPv4 address scheme. Then we realized this requirement cannot be fulfilled by Checkpoint as of now. So I managed to terminate IPSec using an opensource firewall instance in VM environment and the help of NAT, somehow the solution is provided.

My concern is why checkpoint does not support this feature.  Google quoted that 30% of the internet is using IPv6 at this point of time, so near future most of the ISP connection would be IPv6 only addresses. Big enterprises will adopt IPv6 for their environment but small and medium enterprises will continue with IPv4 addressing for their infrastructure. My prediction is  IPv4 traffic inside an IPv6 IPSec tunnel will be the common use-case within a year or two not to mention some of the customers already started to utilize this technology. 

I hope Checkpoint will release this functionality with upcoming releases.

 

6 Replies
PhoneBoy
Admin
Admin
‎2021-03-16 01:04 PM

We can do separate tunnels with IPv4 and IPv6, but currently can’t tunnel one in the other.
I recommend engaging with your local Check Point office around this requirement.

Wolfgang
Authority
Authority
‎2022-03-06 09:11 AM
In response to PhoneBoy

@PhoneBoy are there any news about 4in6?

We had the similar use case, IPv6 IPSEC-tunnel between gateways and only IPv4 networks in the encryption domains of the gateways. Something new with R81.10 or R81.20 or something on the roadmap ?

PhoneBoy
Admin
Admin
‎2022-03-06 08:04 PM
In response to Wolfgang

Haven't seen/heard anything about this in the roadmap.
As I said above, best to engage with the local Check Point office around this requirement.

0 Kudos
Yasushi_Kono1
Contributor
Contributor
3 weeks ago
In response to PhoneBoy

Hi Daemon,

I have got a request for a migration of an old firewall environment to something new. I would love to get the opportunity to migrate to Check Point. This will be a multi-million Dollar project in the heart of Germany in an OT infrastructure. One requirement is that the IPv4 packets to be forwarded into an IPv6 IPSec Tunnel. I haven't tested this, but is there a special requirement for this? As even in R82, NAT64 is not supported. I haven't tested a configuration in which the external interface of a gateway is IPv6 only and the internal ones IPv4 only. Does this work? If not, you need to acquire programmers to code this as soon as possible.

0 Kudos
PhoneBoy
Admin
Admin
3 weeks ago
In response to Yasushi_Kono1

NAT46 / NAT64 is supported from R81.10: https://support.checkpoint.com/results/sk/sk163313 
If/how it works with VPN is a separate question.

_Val_
Admin
Admin
‎2022-03-06 11:19 PM
In response to Wolfgang

Open an RFE

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events