Check Point gateways always send main IP address as IKE Main Mode ID

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk44978
Technical Level
Product	IPSec VPN
Version	NGX R65, R77, R77.20, R77.30, R80.10, R80.20, R80.30, R80.40, R81
Date Created	17-Dec-2013
Last Modified	23-May-2021

Symptoms

For IKEv2 Only:
Authentication response (Sent from the Check Point gateway) contains IKE ID information of the Main IP address of the cluster instead of what is configured in link selection.
**NOTE** For IKEv1, the IKE ID sent in Main Mode Packet 5 is based on what is configured in link selection, in the following thumb rules:
Link selection: Selected address from topology -IKEV1 MM ID: Link selection
Link selection: Probing HA - IKEV1 MM ID: Main Address
Link selection: Calculated IP based on network topology - IKEV1 MM ID: Main Address

Cause

This behavior is by design for IKEv2.

For IKEv1 this is a configurable value.

Solution

For IKEv2:

This behavior is by design. Check Point gateways always send the main IP of the gateway as the IKE ID.

Note: By default ikev2 uses the main IP as ID, but since R80.10 it can be changed to FQDN/DN as well (important for Azure integration).

Some third party VPN peers will not allow an IKE ID that is an IP address to differ from the IP address that the VPN terminates on.

See sk33822 - Site-to-Site VPN connection between Check Point VPN-1 and third-party gateways fails with (AUTHENTICATION-FAILED) error for a possible work-around when this is encountered.

For IKEv1:

This is a controlable feature within Check Point's SmartDashboard (since at least R74.46):

(Cluster object > IPSec VPN > Link Selection)

Selecting the 'Selected address from topology table:' or 'Statically NATed IP:' option will affect the IPv4 address used as the IKE ID in Main Mode Packet 5.

For R80.30:

In R80.30, Check Point gateways no longer use the main IP of the gateway as IKE ID. This is true when using IKEV2, and when link selection is configured to use another interface than the main IP (which is the default).

Note: Using "DNS Resolving" or "Link probing" in "Link selection" with IKEv2, will result in the gateway using its main IP as IKE ID.”

Note: sk173048 describes a hotfix for an issue that was found in the new mechanism (for R80.30 and higher) and is supposed to make the behavior work, as stated here (sk44978).

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating