- Products
- Learn
- Local User Groups
- Partners
- More
Firewall Uptime, Reimagined
How AIOps Simplifies Operations and Prevents Outages
Introduction to Lakera:
Securing the AI Frontier!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Hi everybody,
I am currently working with a R80.10 CheckPoint. I need to stablish a VPN connection with a peer (no checkpoint device), so I have to configure my side to allow this connection.
The problem is that this external peer has a dynamic IP address (which can be obtained by its FQDN). I am not sure if I have to use certificates to authenticate the peer or not, but I issued one .p12 file with cpca_client tool. I created an "Interoperable device" and y configure matching criteria options to check with the certificate.
My question is: Is the certificate necessary to authenticate the peer against the R80.10? If it is correct, Am i doing it correctly?
Thanks beforehand,
Mike.
You may use preshare key in vpn community configuration for easier deployment.
Hi, thanks for your answer.
I would like to do that but CheckPoint does not allow using PSK in hosts with dynamic address. I can't close host dialog window without configure certificate matching criteria. When I do that, PSK is not available for dynamic IP host...
That is the reason why I think some certificate is necessary to establish VPN connection against dynamic IP peers, but I am not sure about that.
Sorry, you're right, DAIP 3rd party device can't use preshare key to establish vpn:
S2S VPN between Check Point Security gateway and Cisco DAIP
You may refer to SK94028, but it's only for check point devices.
Maybe try DDNS?
Yes, I am using DDNS in "link options" inside interoperable device dialog. However, It seems that when ip changes, the VPN can't be established again. May be the certificate is needed to authenticate even if I use DDNS, one thing is the name resolution and other thing is the authentication..so it makes sense.
The link that you reported me is very usefull thanks, I need some oficial documentation about that.
As noted in the thread, if your VPN endpoint has a dynamic IP, you can only authenticate with certificates, not pre-shared secret.
Authenticating with a pre-shared secret when the remote IP is not known can be insecure, particularly if you choose a PSK that is weak or easy to crack.
A little more details here: Considerations about IPsec Pre-Shared Keys | Blog Webernetz.net
Hello Dameon Welch Abernathy
Maybe this is not part of this thread, but let me fly away from my imagination and ask you the following:
Hi William Gutierres, Dameon Welch Abernathy is enjoing his time off this week.
To answer your questions:
Q: What if the endpoint DAIP is a Checkpoint Gateway?
A: No problem at all if the GW is centrally managed and is connected to the central GW. Just define it as a DIAP managed GW. Certificates are signed by the same CA, no problem, very standard configuration. SMS shoul be accessible from Internet on for standard Check POint network services.
Q: what if this specific DAIP Checkpoint is managed by a remote office?
A: I take it as it belongs to a different SMS in the remote office. In this case trust should be established between SMS CAs on each end. Both SMSs should also have CRL Distribution Point accessible from Internet, so each of the GWs on each side could validate a foreign certificate.
Hello all,
@Miguel
I don't know what is your 3rd party? In my situation I must create vpn site to site with Mikrotik Device. I use DDNS but don't know how create certificate? Are use self signed certificate, or use services Global Sing or similar?
Location with Mikrotik is our remote location.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
24 | |
16 | |
4 | |
4 | |
3 | |
3 | |
3 | |
3 | |
3 | |
2 |
Tue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY