https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-site-VPN-drops-with-Dynamic-DNS/m-p/156073#M7289 <P>Thanks mate, I will take a look at those SKs and provide more information.</P><P>P.S. When I type</P><LI-CODE lang="markup">[Expert@appliance]# fw ctl get int vpn_force_nat_t vpn_force_nat_t = 0</LI-CODE><P>it's disabled on every appliance.</P> Wed, 31 Aug 2022 11:13:07 GMT obsidian11 2022-08-31T11:13:07Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-site-VPN-drops-with-Dynamic-DNS/m-p/155889#M7277 <P>Greetings,</P><P>I'm wondering what can cause this issue, I have 2 appliances (locally managed) from&nbsp;<EM>Check Point 700</EM><SPAN>&nbsp;Appliance family&nbsp;</SPAN>(730 &amp; 790). On both of them, there is DDNS feature enabled (because those two are DAIP gateways - don't have static WAN IP), provider is no-ip.com and domains *.ddns.net&nbsp;successfully point to proper dynamic IPs.</P><P>When my friends and I try to establish site to site vpn between those peers, when we put IP addresses (dynamic ones) everything seems fine. However, when we put host names instead of those IPs, tunnel won't go up.</P><P><SPAN>Has anyone run into the same problem?</SPAN></P><P>P.S. Other settings are default ones (authentication: pre-shared secret; encryption: default etc.)</P> Mon, 29 Aug 2022 13:02:23 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-site-VPN-drops-with-Dynamic-DNS/m-p/155889#M7277 obsidian11 2022-08-29T13:02:23Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-site-VPN-drops-with-Dynamic-DNS/m-p/155895#M7278 <P>Did you follow this sk:&nbsp;<A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk109048&amp;partition=Advanced&amp;product=IPSec" target="_blank">sk109048: How to create Site-to-Site VPN between 2 locally managed DAIP 1100/600 Appliances</A>&nbsp;?</P> <P>This one is newer:&nbsp;<A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk112213&amp;partition=Advanced&amp;product=Quantum" target="_blank">sk112213: How to configure Certificate based Site to Site VPN between two locally managed SMB Appliances</A></P> Mon, 29 Aug 2022 13:12:40 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-site-VPN-drops-with-Dynamic-DNS/m-p/155895#M7278 G_W_Albrecht 2022-08-29T13:12:40Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-site-VPN-drops-with-Dynamic-DNS/m-p/156064#M7287 <P>Honestly I didn't try this certificate based configuration (as I said, all other gateways are configured via pre-shared key for s2s vpn), but what I did after reading those 2 articles/guides was&nbsp;reinitializing certificates and now I have 2 scenarios..</P><P>There is always green checkmark (tunnels are up), but..</P><P>When I put hostname for the first gateway, and dynamic IP for the second gateway everything works fine.</P><P>However, if I put hostnames for both gateways, there is still green checkmark (signalizing that tunnel is up), but it's not working..</P><P>Any ideas why this happens? I mean configurations are almost same as other gateways from same appliances family.</P> Wed, 31 Aug 2022 10:14:27 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-site-VPN-drops-with-Dynamic-DNS/m-p/156064#M7287 obsidian11 2022-08-31T10:14:27Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-site-VPN-drops-with-Dynamic-DNS/m-p/156072#M7288 <P><SPAN>Could be a NAT-T issue, see sk167116: In locally managed appliances, the parameter "vpn_force_nat_t" does not force NAT-T if the remote site is configured using a hostname. Refer to </SPAN><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk162472" target="_blank" rel="noopener">sk162472</A><SPAN> for more information.&nbsp;</SPAN></P> <P><LI-WRAPPER></LI-WRAPPER></P> Wed, 31 Aug 2022 10:35:08 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-site-VPN-drops-with-Dynamic-DNS/m-p/156072#M7288 G_W_Albrecht 2022-08-31T10:35:08Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-site-VPN-drops-with-Dynamic-DNS/m-p/156073#M7289 <P>Thanks mate, I will take a look at those SKs and provide more information.</P><P>P.S. When I type</P><LI-CODE lang="markup">[Expert@appliance]# fw ctl get int vpn_force_nat_t vpn_force_nat_t = 0</LI-CODE><P>it's disabled on every appliance.</P> Wed, 31 Aug 2022 11:13:07 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-site-VPN-drops-with-Dynamic-DNS/m-p/156073#M7289 obsidian11 2022-08-31T11:13:07Z