Re: VPN tunnel without public IP on the External i...

Louis_Poulin · ‎2019-04-10

Please consider the following diagram:

VPN adresse privee.png

The Check Point firewall is a VS on a VSX Cluster running R80.20.

The External interface is assigned a private IP address. But public IP addresses 1.1.1.0/24 are routed to this Check Point firewall.

I need to make a VPN tunnel with a Cisco device with IP 2.2.2.2.

Do you guys have any ideas?

We tried so far to add a dummy interface on the VS that leads to nowhere, but with a Public IP 1.1.1.1. There is a negotiation of the tunnel with the Cisco device, but IKE Phase 1 doesn't go through.

On the Cisco side, we have error messages like:
%CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 1.1.1.1 was not encrypted and it should've been.
ISAKMP: (1075):retransmitting phase 1 MM_KEY_EXCH...

On Check Point's side we have:
Main Mode Sent Notification to Peer: authentication failed

With a public IP address on the external interface, there is no problem.

Maarten_Sjouw · ‎2019-04-10

You need to use VPN link selection on the VS object and assign the 1.1.1 to a interface and set that interface as the interface to use for the VPN. That should do it, also check that the setting for Source IP Address is set to the selected interface.

Regards, Maarten

Louis_Poulin · ‎2019-04-11

Thank you!

That solution works.

We had trouble because of duplicate interoperable device objects on the Check Point side… The Cisco device was created twice, but with different Topology.

Are you a member of CheckMates?

VPN tunnel without public IP on the External interface