Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Bruce_R
Participant

Home Broadband Router and DAIP VPN.

Jump to solution

Hi,

We already have a Check Point gateway installed with multiple VPN tunnels etc. 

I have a requirement to create a very small VPN network at a user's home address. I cannot use client VPN for this.

The user is in the UK and has home broadband with a dynamic IP. 

I understand I need to use DAIP for the dynamic IP and that requires using certificates. 

My question is: can I place a VPN capable gateway behind the home router using the home router's DMZ or port forwarding options? Has anyone actually done this?

I'm looking at the 700 series Check Point devices for simplicity, but any recommendations for a small VPN capable router are welcome. 

Thanks

Bruce

 

 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
Most VPN routers (including Check Point SMB appliances like the 700 and 1500) will operate with NAT-T, so don't require any particular port forwarding set up to work.
But, as you noted, certificate-based authentication will be required for the device.

View solution in original post

5 Replies
PhoneBoy
Admin
Admin
Most VPN routers (including Check Point SMB appliances like the 700 and 1500) will operate with NAT-T, so don't require any particular port forwarding set up to work.
But, as you noted, certificate-based authentication will be required for the device.

View solution in original post

CAJohnsonindep
Explorer

So is there an actual guide on how to do this? I am trying to connect a 1550 behind my home router to our central management server. I have a guide that I found but my ISP is Google Fiber and if I try to connect the service line to the CP gateway it won't even get a link light, because Google has it locked down to force me to use their equipment. I am aware that Google will allow me to use my own router if I switch plans with them but I would like to avoid that for now.

So how do I get the gateway to talk to the management server when the WAN IP of my home gateway is a private IP (192.168.2.1 for example)?

0 Kudos
PhoneBoy
Admin
Admin

I'm not aware of a specific guide for this, but it's fairly straightforward:

  • The management has an externally accessible IP (can be via NAT, which is configured in the object for the management server).
  • A gateway object is created for your gateway with the DAIP option ticked:

image.png

From here you set the SIC password and can set how to identify the appliance that connects (either name, MAC, or First to Connect.
Publish the resulting changes.
On the SMB appliance, you can go to Home > Overview > Security Management and establish SIC using the SIC password and the external management IP.

In this situation, the gateway periodically "phones home" sending logs and fetching the security policy.
This doesn't require the SMB gateway having a public IP.

0 Kudos
Maarten_Sjouw
Champion
Champion
When you use a 1500 model you can manage it from the same management as your normal management. the only reason you want some port forwarding is for the ports you want to use for managing the device.
Regards, Maarten
Bruce_R
Participant

Thanks both, I have ordered some 1530's 

0 Kudos