S2S with local VPN Peer static NAT

Richard_Cullum · ‎2018-07-23

S2S VPN over the Internet. Using public ip addresses as peer addresses. If my Check Point R80.10 gateway external ip address is a private address for BGP peering, can I terminate a S2S VPN on the gateway by using a public ip Static NAT configured on the same gateway? It's quite common to see scenarios where there is a Public<=translates to=>Private NAT device in front of the VPN peer, but does it work if the Check Point VPN peer also does the NAT required as well?

(Check Point R80.10 cluster Private IP<=translate to=>Public NAT) <=VPN connects to => Remote VPN Peer Public IP

PhoneBoy · ‎2018-07-23

I believe so, you would set the appropriate IP in Gateway Object > IPSec VPN > Link Selection.

Richard_Cullum · ‎2018-07-24

Thanks for the above info and I guess that means I can define the statically NATd IP address. But I have found this KB article sk44978 that suggest for IKEv2 , it will always use Main IP. So is IKEv2 problematic where any NAT traversal for a S2S vpn is required?

PhoneBoy · ‎2018-07-24

Forgot about that particular limitation.

Hadn’t heard of specific issues around it, though.

The SK does mention a workaround.

Are you a member of CheckMates?

S2S with local VPN Peer static NAT