This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
StackCap43382
Collaborator
Collaborator
‎2024-12-03 04:28 AM

R82 - IKE ID Peer VPN Peer?

Hi All,

There is an external HA cluster Whos MAIN IP is a private IP address.

They are experiencing an issue with a S2S VPN Peer rejecting the Peer ID as in IKEv2 the Active member will use the MAIN IP when establishing the VPN.

In R82 I see there is now the enhanced Link Selection feature.

Will this override the MAIN IP and allow us to bypass this limitation of IkeV2 on R81.X?

Is there any other planned features regarding IkeID I am not aware of in R82? 

Or is this a question for our SE to answer?

Thanks.

 

 

 

 

CCSME, CCTE, CCME, CCVS
0 Kudos
5 Replies
the_rock
MVP Diamond
MVP Diamond
‎2024-12-03 06:04 AM

Thats my understanding as well, it would override main IP, but had not tested it in the lab yet.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
LazarusG
Advisor
Advisor
‎2026-02-18 03:48 AM

I have a ticket for it - peer is asking us to confirm ike-id on enhanced link selection. As far as i can tell will need captures and debugs and offline checking in wireshark and ikeview - then i wonder if BestRoutingSenderIP from sk108600 might be needed? You'd hope it wouldnt be so much of a faff anymore...if im lucky the otherside is a palo and i cant tell the Palo the remote id in the ike gateway peer identification field....i hope...ill let you know 🙂

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-02-18 04:15 AM
In response to LazarusG

Are you using enhanced link selection in R82?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
RS_Daniel
Advisor
Advisor
‎2026-02-18 04:35 AM

Hello,

I must say i did not read enhaced link selection docummentation in R82, but below the options we found in the past for this limitation.

If you will use only one external interface for VPN's with third party you could use one of the recommended options from sk44978: 

"In SmartConsole, open the Security Gateway object -> IPSec VPN > Link Selection.

Selecting the "Selected address from topology table:" or "Statically NATed IP:" option will affect the IPv4 address used as the IKE ID in Main Mode Packet 5."

However if you use more than one external interface it is not a perfect solution. Another suggestion from Check Point is in sk33822:

"Configure the Security Gateway to work with ID configured to an FQDN"

In this post we received another suggestion to use one VS per external interface so we can use options from sk44978.

IKE Main Mode ID - Check Point CheckMates

HTH.

Regards

the_rock
MVP Diamond
MVP Diamond
‎2026-02-18 04:55 AM
In response to RS_Daniel

I tried using it with one customer, but we could never make it work. Even had TAC case opened for it, no joy...so for sake of saving time and frustration, we just decided to use old school link selection method and all worked fine.

Best,
Andy
"Have a great day and if its not, change it"

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events