topic Re: checkpoint 3600 query on ipsec vpn and ssl vpn in Firewall and Security Management

checkpoint 3600 query on ipsec vpn and ssl vpn

jijotms0511 — Tue, 24 Nov 2020 03:05:17 GMT

Hi Team,

I have a question on Checkpoint model 3600 ( Gaia R80.30)

Checkpoint Interface connected to the internet don't have a static ip and it is dynamic.

Need to achieve an Ipsec site to site VPN with fortinet firewall and also ssl vpn also should be configured with duo authentication. Is the above requirement possible with dynamic public ip for the checkpoint interface connected to internet?

Customer is planning of subscribing to one of the DynDNS service so that the CP firewall can keep updating the DynDNS with the latest IP that the firewall hold.

Also consider creating a CNAME for their company domain that points to the dyndns domain for VPN requirements.

Thanks,

Jijo Thomas

Re: checkpoint 3600 query on ipsec vpn and ssl vpn

PhoneBoy — Tue, 24 Nov 2020 04:47:14 GMT

Only way to do Site2Site VPN with a dynamic IP is with certificate-based authentication.
Not sure how Mobile Access Blade would handle the dynamic IP.
It might be better to use something like our new Corporate Access solution (Formerly known as Odo), which will definitely work with a dynamic IP: https://www.checkpoint.com/odo/

Re: checkpoint 3600 query on ipsec vpn and ssl vpn

jijotms0511 — Tue, 24 Nov 2020 05:07:13 GMT

Thank you so much..let me check on the same.

Re: checkpoint 3600 query on ipsec vpn and ssl vpn

jijotms0511 — Tue, 24 Nov 2020 09:56:04 GMT

Hi , the plan for the user us like below for mobile users with dynamic ip

User -> vpn.customerdomain.com

vpn.customerdomain.com CNAME to XX.dyndns.org

XX.dyndns.org is on dynamic IP that CP will keep updating based on it WAN IP.

Please help to confirm

Thanks,

Re: checkpoint 3600 query on ipsec vpn and ssl vpn

PhoneBoy — Tue, 24 Nov 2020 19:54:32 GMT

Mobile Access requires a fixed IP address to operate.
If you configure the gateway with a Dynamic IP address, Mobile Access Blade is not available (see screenshot below).

Even with traditional IPsec VPN, the gateway IP is ultimately what is resolved in the local configuration.
When that IP changes, your clients will not be able to connect.

If the IP rarely changes, you can configure the gateway with a static IP and update the configuration when the local IP changes.
However, this will require manual intervention when the IP does change.

The Odo solution I mentioned previously has none of these issues.
An on-premise agent runs in an on-premise Docker container that initiates an outbound connection with the Check Point cloud.
Access to on-premise resources is mediated through a controller that operates in the cloud, where your end users connect.
No inbound access is needed (thus no need for remote users to know your local IP).

If you're interested in the above solution, I recommend connecting with your local Check Point office.

Re: checkpoint 3600 query on ipsec vpn and ssl vpn

jijotms0511 — Wed, 25 Nov 2020 06:08:50 GMT

Thank you so much for the explanation!