Check Point R77 on X-Series - Enabling IPSec VPN shows error "VPN blade demands gateway's IP address corresponding to the interface's IP addresses"

book

Article ID: 167866

calendar_today

Updated On:

Products

XOS

Issue/Introduction

If you are trying enable IPSec VPN blade on Check Point R77 if IPv6 interfaces exist in the cluster topology, you may receive an error that states "VPN blade demands gateway's IP address corresponding to the interface's IP addresses". This is an known anomaly in which a workaround exists as detailed within this KB.If you are trying enable IPSec VPN blade on Check Point R77 if IPv6 interfaces exist in the cluster topology, you may receive an error that states "VPN blade demands gateway's IP address corresponding to the interface's IP addresses".  This is an known anomaly in which a workaround exists as detailed within this KB.

Cause

If any interface in a Check Point R77 cluster topology is configured with an IPv6 address, attempting to enable IPSec VPN in SmartDashboard produces the following warning. You cannot enable IPSec VPN until you provide an IPv6 address for each member of the cluster.
 User-added image

Resolution

N/A

Workaround

To work around this issue, manually add an IPv6 address for each cluster member in the Gateway Cluster members list in Gateway Cluster Properties. Since XOS V9.7.x only supports increment-per-vap for IPv4 addresses, you can create an IPv6 alias address for each cluster member and add the alias address for each member. As an alternative, you can also enter unused IPv6 addresses for cluster members. Then return to the General Properties page, select (check) IPSec VPN, and click OK.
 
Note: Make sure that any unused IPv6 addresses you enter are not propagated or advertised to adjacent routers.
User-added image
To verify that IPSec is enabled, reopen the Gateway Cluster Properties page, and note that IPSec VPN is enabled.
 

Attachments