Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Collaborator

VPN tunnel without public IP on the External interface

Please consider the following diagram:

VPN adresse privee.png

 

The Check Point firewall is a VS on a VSX Cluster running R80.20.

The External interface is assigned a private IP address. But public IP addresses 1.1.1.0/24 are routed to this Check Point firewall.

I need to make a VPN tunnel with a Cisco device with IP 2.2.2.2.

Do you guys have any ideas?

We tried so far to add a dummy interface on the VS that leads to nowhere, but with a Public IP 1.1.1.1. There is a negotiation of the tunnel with the Cisco device, but IKE Phase 1 doesn't go through.

On the Cisco side, we have error messages like:
%CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 1.1.1.1 was not encrypted and it should've been.
ISAKMP: (1075):retransmitting phase 1 MM_KEY_EXCH...

On Check Point's side we have:
Main Mode Sent Notification to Peer: authentication failed

With a public IP address on the external interface, there is no problem.

0 Kudos
Reply
2 Replies
Highlighted
Champion
Champion

You need to use VPN link selection on the VS object and assign the 1.1.1 to a interface and set that interface as the interface to use for the VPN. That should do it, also check that the setting for Source IP Address is set to the selected interface.
Regards, Maarten
Highlighted
Collaborator

Thank you!

 

That solution works.

 

We had trouble because  of duplicate interoperable device objects on the Check Point side… The Cisco device was created twice, but with different Topology.

0 Kudos
Reply