This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Louis_Poulin
Collaborator
‎2019-04-10 10:09 AM

VPN tunnel without public IP on the External interface

Please consider the following diagram:

VPN adresse privee.png

 

The Check Point firewall is a VS on a VSX Cluster running R80.20.

The External interface is assigned a private IP address. But public IP addresses 1.1.1.0/24 are routed to this Check Point firewall.

I need to make a VPN tunnel with a Cisco device with IP 2.2.2.2.

Do you guys have any ideas?

We tried so far to add a dummy interface on the VS that leads to nowhere, but with a Public IP 1.1.1.1. There is a negotiation of the tunnel with the Cisco device, but IKE Phase 1 doesn't go through.

On the Cisco side, we have error messages like:
%CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 1.1.1.1 was not encrypted and it should've been.
ISAKMP: (1075):retransmitting phase 1 MM_KEY_EXCH...

On Check Point's side we have:
Main Mode Sent Notification to Peer: authentication failed

With a public IP address on the external interface, there is no problem.

0 Kudos
2 Replies
Maarten_Sjouw
Champion
Champion
‎2019-04-10 02:43 PM

You need to use VPN link selection on the VS object and assign the 1.1.1 to a interface and set that interface as the interface to use for the VPN. That should do it, also check that the setting for Source IP Address is set to the selected interface.
Regards, Maarten
Louis_Poulin
Collaborator
‎2019-04-11 08:30 AM
In response to Maarten_Sjouw

Thank you!

 

That solution works.

 

We had trouble because  of duplicate interoperable device objects on the Check Point side… The Cisco device was created twice, but with different Topology.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events