This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mk_83
Collaborator
‎2025-07-28 08:53 AM

Site-to-Site VPN over 4G Internet for Quantum Spark Appliances

Hello everyone,

We have nearly 20 Checkpoint appliances at our branches. We currently have an existing PPPoE connection used for both Internet access and a Site-to-Site VPN to our DC, HO. 

I'm planning to set up a backup 4G Internet link for SMB appliances at our branch offices. This is intended to ensure continuous Internet and VPN connectivity for staff in case the primary PPPoE link goes down.

I would like to ask:
Is it possible to establish a Site-to-Site VPN over this 4G interface?

The 4G connection uses CGNAT, so no public IP is available on the branch side. I'm currently unsure whether Check Point SMB appliances support dial-up VPN mode (where the branch initiates VPN without needing a static public IP).

Does anyone know something about this, please help me.

Thanks & Best regards.

0 Kudos
3 Replies
Wolfgang
MVP Gold
MVP Gold
‎2025-07-28 01:18 PM

@Mk_83 How about your DC ? Are there running gateways with a none dynamic public IP address ?

It‘s normally not a problem with site to site VPN via 4G, 5G, LTE ….. to a central gateway. NAT done by the mobile networks providers are too no problems. IPSEC connection will be using NAT-T and the connection has to be initiate from the branch site to the central DC.

Monitoring of the state of the branch appliances does not work (the small green sign of the firewall object in SmartConsole). The monitoring connection is initiated from the SMS to the branch appliance and this will fail because of the NAT in the providers network.

The branch gateway objects must be defined with dynamic external IP. We are running environments with integrated LTE in the appliance and others with external LTE routers, both are working fine.

Mk_83
Collaborator
‎2025-07-29 12:45 AM
In response to Wolfgang

Many thanks for your response.

Yes, Our DC gateway (Sophos) already have public IP (pppoe).

We were add the branch gateways to Smart-1 Cloud (connect through pppoe internet link), and set up VPN S2S to DC using that link. This works well since both sides have public IP addresses.

Do you have any documentation or best practices regarding configuring a VPN tunnel from a 4G/LTE/5G (non-public IP) to a DC gateway with a public IP, could you please share it with me?

Thanks & Best Regards.

 

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-07-29 12:50 AM
In response to Mk_83

sk167473: FAQ for Security Gateways with Dynamically Assigned IP Address (DAIP)

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events