Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Bharat_B
Participant

Large scale VPN with Dynamically Assigned IP Gateways (DAIP)

Does anyone have experience with deploying Check Point gateways in a large-scale hub-and-spoke setup with dynamically assigned IP gateways?

We've got a case where we have two corporate offices A and B and 49 branch offices to be connected. Some of the 49 are connected to A and some to B. There are existing network links between A-B. All the branches have DSL-type Internet connections with dynamically assigned IPs on ISP-provided routers. Branch firewalls will be behind these routers through NAT. We're looking at inter-connecting the branches to the two offices. There will be main Check Point gateways with fixed IPs at the two offices A and B with management appliances. Users in branches access internet via their branch connections, not via head office. I got a couple of questions:

1) Will DAIP and LSV features of Check Point work correctly in this scenario?

2) Are there any guides or references to deploy such a system?

3) Reading the VPN Admin Guide, Page 119. How does that work? Is there some Dynamic DNS service involved here?

Use DNS Resolving: This method is required for Dynamically Assigned IP (DAIP) Security Gateways. A VPN tunnel to a DAIP Security Gateway can only be initiated using DNS resolving since the IP address of the DAIP Security Gateway cannot be known in advance. If using this method for a non-DAIP Security Gateway, the IP address must be defined in the Topology tab. Without DNS resolving, a DAIP Security Gateway can only initiate the first connection between two peers. The second connection can be initiated by the peer Security Gateway as long as the IP address of the DAIP Security Gateway has not changed.

I was unable to find much info on either DAIP or LSV unfortunately apart from the admin guides.

Thanks

0 Kudos
3 Replies
Maarten_Sjouw
Champion
Champion

I don't know LSV, but the type of environment you are describing is nothing new to us. We have a number of customers with similar setups and also a number of them have DAIP gateways.

First question will be, is it a hub spoke system you want ( all remote sites can only talk to the central site or will all sites be connecting to all other sites?

To center only: Star topology

To all others: Meshed topology

The way DAIP works is that the DAIP gateway will connect to the management using the Phone home system. Once the gateway has been connected to the management server (SIC is established) it will on a regular base connect back to management and report the IP it is working from.

In the VPN community make sure to set permanent tunnels to on.

For a Star topology there is no problem as all remote gateway will initiate the VPN to the central sites and the VPN supports traffic both ways. 

When you need the Meshed topology it will be hard for a DAIP site to reach another DAIP site. However the central management server does know about it and could potentially inform the other gateways. This will only work when you have a DSL version of the Gateway or when yo apply this:

One piece of advice: on these ADSL router always fix the external IP of the gateway and set the IP of the FW as the DMZ host in that router, this way you can still connect to SSH or the WebUI when needed.

Do not forget to set admin access to allow the IP address/range your coming from and allow access through WAN.

Regards, Maarten
0 Kudos
Bharat_B
Participant

Thanks for the answer. It will probably be two communities with A and B as hubs and their respective branches as spoke.

The way DAIP works is that the DAIP gateway will connect to the management using the Phone home system. Once the gateway has been connected to the management server (SIC is established) it will on a regular base connect back to management and report the IP it is working from.

How does that part work when the firewall is behind a NAT device? It would report its private IP instead of the public IP  and so causing problems? Is there some probing available for the firewall to detect its public IP?

0 Kudos
Maarten_Sjouw
Champion
Champion

It will report to the management with it's Public IP and this is what is stored. When you have a number of DAIp devices and look at the Monitor page (the old fashioned R77.30 Monitor) it will show that IP. Also in the VPN Tunnel monitoring it will show the Public IP'

Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events