Re: Site to Site VPN with Dynamic IP

pyiephyohtay · ‎2023-09-11

Dear Members,

Currently, I'm using a site-to-site VPN connection between a Checkpoint SMB 1880 and an ASA firewall. The Checkpoint has a Public IP address assigned, while the ASA side is using a dynamic IP address. Phase 1 and Phase 2 are correctly configured on both sides, but the tunnel is not coming up for Phase 1 and 2 (IKEv2).

Does someone have a configuration guide for this, or can you please help me with my issues?

Thanks.

PPH

the_rock · ‎2023-09-11

I have one doc from another community post, not sure if it would apply 100% to you, but just curious, what do they see on ASA side? I attached the doc and also, below is simple debug you can do on cp and asa side.

Andy

CP side:

gw expert mode:

vpn debug trunc

vpn debug ikeon

-generate some traffic

vpn debug ikeoff

collect ike.elg and vpnd.elg files from $FWDIR/log dir on the fw

************************************

ASA debug

debug crypto condition peer x.x.x.x

debug crypto ikev1 200

debug crypto ipsec 200

to cancel all debugs-> undebug all

pyiephyohtay · ‎2023-09-13

Dear The Rock,

It's important to note that the SMB series is completely different from the Security Gateway Series. The tunnel for the VPN is now up, but traffic is not reaching the Checkpoint side. Ping and Telnet are not functioning.

the_rock · ‎2023-09-13

Have you done any captures, checked the logs to see why its failing?

Andy

G_W_Albrecht · ‎2023-09-13

If this is locally managed SMB theVPN peer DAIP.pdf does not apply. Here is a document including SMB side config: sk109139: How to configure Site-to-Site VPN between Locally Managed Embedded GAIA appliance and Cent....

Who starts the VPN tunnel ? It has to be the ASA afaik. Also only certificate based VPN will work as stated above. See for centrally managed SMBs sk108600: VPN Site-to-Site with 3rd party and sk53980: How to set up a Site-to-Site VPN with a 3rd-party remote gateway

sk98604: No valid SA when creating VPN tunnel between locally managed SMB appliance and 3rd party ga...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

the_rock · ‎2023-09-13

You are 100% right, that file I sent would not apply if its locally managed appliance.

Andy

CaseyB · ‎2023-09-13

I know for Check Point to Check Point SMB to work in a dynamic scenario, the VPN has to be setup using certificates. I am not sure if the same applies for third party devices, but it could be your issue.

RS_Daniel · ‎2023-09-13

Hello,

I do not have a configuration guide for third parties, but had a similar scenario with Mikrotik on the remote side. It is working ok. The first question:

are you using certificates for authentication between the peers? it is mandatory when one of peers the has DAIP.

1800 SMB is centrally managed or locally?

The basic flow for cert authentication is export de CA certificate from checkpoint and import it on cisco side. Then on cisco side create a csr, export it and sign it on CheckPoint side. Use this signed certificate on Cisco side for authentication with this VPN.

For 1800 centrally managed sk109139.

For 1800 locally managed sk112213

These two sk's show the configuration between checkpoint devices. But the same flow should work for third parties. In our case it worked. HTH

Regards

Are you a member of CheckMates?

Site to Site VPN with Dynamic IP