This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Michael_Menen
Participant
Participant
‎2025-12-05 04:39 AM
Jump to solution

Site-2-Site VPN with Cisco Cloud (Cisco Secure Acccess)

Hi all,

 

We want to set up a site-to-site VPN connection between the Check Point cluster and the Cisco Secure Access Cloud.  
Unfortunately, on the Cisco platform, you must specify either one remote email identifier or two remote public IP addresses.
At the Check Point, I only have one public IP available for the tunnel, the public cluster IP. 
Unfortunately, route-based VPN is not an option either, as Check Point only provides one public IP address, but Cisco Cloud requires two.
https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/Topics-VP...


Best regards.
Michael

Labels
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2025-12-09 08:26 AM
Jump to solution

You can configure the gateway to use an email address as the Tunnel ID: https://support.checkpoint.com/results/sk/sk182890 

View solution in original post

15 Replies
the_rock
MVP Diamond
MVP Diamond
‎2025-12-08 05:04 PM
Jump to solution

Hey Michael,

I am not familiar with that side of Cisco, but I fnd it very odd it would require 2 IP addresses. Do you have any document stating that or screenshot you can attach from their end?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Michael_Menen
Participant
Participant
‎2025-12-08 11:03 PM
In response to the_rock
Jump to solution

Good morning Andy,

Attached is the documentation from Cisco.
The issue is the Tunnel-ID.
Cisco requires either an EMail-Address or a primary and secondary IP-Address

Cisco-Cloud-VPN-Tunnel-Group.png


Cisco-Cloud-VPN-Tunnel-ID.png

Cisco-Cloud-VPN-Tunnel-Other.png

Best regards.
Michael 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-09 03:48 AM
In response to Michael_Menen
Jump to solution

Wait a second. To me, logically, though I could be mistaken, it would imply they are referring to REDUNDANT tunnels, not if its just a single one. Can you please verify that with them?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Michael_Menen
Participant
Participant
‎2025-12-09 05:05 AM
In response to the_rock
Jump to solution

Yes, seems that Cisco wants to establish a second redundant tunnel but to a different public IP and there's no way around.

I tried to configure a route-based-VPN-Tunnel like described in sk100726 (Site-2-Site-VPN with AWS) but was informed, that on Cisco site a secondary remote public IP is needed.
I had a remote session with the VPN-partner and there's no way to bypass this bloody second public remote IP-Address.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-09 05:12 AM
In response to Michael_Menen
Jump to solution

But, if you are able to talk to someone in Cisco support, can you verify this with them? It absolutely makes no logical sense this would be needed for single tunnel.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
CKing
Participant
3 weeks ago
In response to the_rock
Jump to solution

@Michael_Menen 
We're looking at setting up a connection to Cisco Secure Access in the near future and we're just wondering if you did get any feedback from support whether they are likely to change this requirement of Primary/Secondary tunnels.

Thinking we'll have to use a second public IP on the Check Point side just to satisfy Cisco

0 Kudos
PhoneBoy
Admin
Admin
‎2025-12-09 08:26 AM
Jump to solution

You can configure the gateway to use an email address as the Tunnel ID: https://support.checkpoint.com/results/sk/sk182890 

the_rock
MVP Diamond
MVP Diamond
‎2025-12-09 08:51 AM
In response to PhoneBoy
Jump to solution

Interesting, never knew that was possible.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
PhoneBoy
Admin
Admin
‎2025-12-10 02:39 PM
In response to the_rock
Jump to solution

I didn't either until I searched SK. 🙂

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-10 02:42 PM
In response to PhoneBoy
Jump to solution

I have a hard time believing one of biggest geniuses I know, aka Phoneboy, did not know that...just saying 🙂

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
PhoneBoy
Admin
Admin
‎2025-12-11 01:34 PM
In response to the_rock
Jump to solution

If I never ran across it before...how would I know it? 😜

0 Kudos
Michael_Menen
Participant
Participant
‎2025-12-11 04:04 AM
In response to PhoneBoy
Jump to solution

Thank you very much for the SK.

As far as i understand the sk certificate authentication is required between the VPN gateways.
I'm not sure if the Cisco Secure Access Cloud is supporting certicicate authentication for VPNs. 
Additional to that I have to renew the IPsec VPN certificate on the Check Point gateways and reboot the firewalls.
After that the "Certificate Subject Alternative Name" will be provided in any VPN-Tunnel (for than 30 are configured at the moment).
Ufffff......not sure if the customer will like that.

I will get in cpontact with the customer and Cisco.
Thanks!  

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-11 04:16 AM
In response to Michael_Menen
Jump to solution

Maybe not optimal, but given the circumstances, most likely best option.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
PhoneBoy
Admin
Admin
‎2025-12-11 01:50 PM
In response to Michael_Menen
Jump to solution

Unless they're all in the same mesh VPN community, you don't have to change all the other VPNs to certificate-based auth.

0 Kudos
71mb00
Explorer
2 weeks ago
Jump to solution

Hi Michael, did you get this working? did the email address as the Tunnel ID thing work ?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events