Re: Site to Site VPN with Dynamic IP

pyiephyohtay · ‎2023-09-11

Dear Members,

Currently, I'm using a site-to-site VPN connection between a Checkpoint SMB 1880 and an ASA firewall. The Checkpoint has a Public IP address assigned, while the ASA side is using a dynamic IP address. Phase 1 and Phase 2 are correctly configured on both sides, but the tunnel is not coming up for Phase 1 and 2 (IKEv2).

Does someone have a configuration guide for this, or can you please help me with my issues?

Thanks.

PPH

the_rock · ‎2023-09-11

I have one doc from another community post, not sure if it would apply 100% to you, but just curious, what do they see on ASA side? I attached the doc and also, below is simple debug you can do on cp and asa side.

Andy

CP side:

gw expert mode:

vpn debug trunc

vpn debug ikeon

-generate some traffic

vpn debug ikeoff

collect ike.elg and vpnd.elg files from $FWDIR/log dir on the fw

************************************

ASA debug

debug crypto condition peer x.x.x.x

debug crypto ikev1 200

debug crypto ipsec 200

to cancel all debugs-> undebug all

pyiephyohtay · ‎2023-09-13

Dear The Rock,

It's important to note that the SMB series is completely different from the Security Gateway Series. The tunnel for the VPN is now up, but traffic is not reaching the Checkpoint side. Ping and Telnet are not functioning.

the_rock · ‎2023-09-13

Have you done any captures, checked the logs to see why its failing?

Andy

G_W_Albrecht · ‎2023-09-13

If this is locally managed SMB theVPN peer DAIP.pdf does not apply. Here is a document including SMB side config: sk109139: How to configure Site-to-Site VPN between Locally Managed Embedded GAIA appliance and Cent....

Who starts the VPN tunnel ? It has to be the ASA afaik. Also only certificate based VPN will work as stated above. See for centrally managed SMBs sk108600: VPN Site-to-Site with 3rd party and sk53980: How to set up a Site-to-Site VPN with a 3rd-party remote gateway

sk98604: No valid SA when creating VPN tunnel between locally managed SMB appliance and 3rd party ga...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

the_rock · ‎2023-09-13

You are 100% right, that file I sent would not apply if its locally managed appliance.

Andy

CaseyB · ‎2023-09-13

I know for Check Point to Check Point SMB to work in a dynamic scenario, the VPN has to be setup using certificates. I am not sure if the same applies for third party devices, but it could be your issue.

RS_Daniel · ‎2023-09-13

Hello,

I do not have a configuration guide for third parties, but had a similar scenario with Mikrotik on the remote side. It is working ok. The first question:

are you using certificates for authentication between the peers? it is mandatory when one of peers the has DAIP.

1800 SMB is centrally managed or locally?

The basic flow for cert authentication is export de CA certificate from checkpoint and import it on cisco side. Then on cisco side create a csr, export it and sign it on CheckPoint side. Use this signed certificate on Cisco side for authentication with this VPN.

For 1800 centrally managed sk109139.

For 1800 locally managed sk112213

These two sk's show the configuration between checkpoint devices. But the same flow should work for third parties. In our case it worked. HTH

Regards

vladdar

Hello I have similar scenario : IPSec VPN tunnel from locally managed Spark 1530 with Dynamic IP to centrally managed Spark 2000 cluster. Cnetral management is Smart-1-cloudin this case. How do I get CA certificate from cloud management ?

Currently I have both sides managed locally, but need to migrate Spark 2000 cluster under cloud management. Is it even possible to keep this tunnel running ? Currently I am using PSK, which is possible on local management.

G_W_Albrecht

If you are using PSK, this will not change if you switch to SMP management as the current VPN tunnel configs will be kept unchanged.

Otherwise with Smart-1 Cloud - this may reset some config, see https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Check-Point-SmartCloud-Admin-...

PSK is not possible using the WebGUI, but you can always configure it using CLI.

As the SMP license is included in every SMB unit, this is the cheapest, but compared to local management much better solution imho.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

vladdar

Sorry, but I am not talking about SMP. We are talking about Smart-1-Cloud, hub site will be managed from the smart-1-cloud. Other Spark box with only dynamic IP will be still managed locally but there shouldnt be any problem there according to this guide sk109139. Problem is how to get CA certificate from management server( smart-1-cloud) in this case as per point 1 and 2 from sk109139. Thank you.

G_W_Albrecht

Smart-1 Cloud is different - so sk109139 does not apply imho. I would open a SR# with CP TAC to get the necessary information.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

vladdar

Thank You, I will try to get some info from them.

the_rock

I would also do that, because you definitely dont want to start changing things on S1C cloud portal, as there is no typical ssh access.

Andy

G_W_Albrecht

Colleague of mine did configuration of SMBs managed by Smart-1 recently for a customer and found that most information is only available/valid for On-Prem SMS.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

vladdar

So this is guide how to do it from TAC.

To make the tunnel authentication certificate based we need to export the internal_CA from Servers -> Trusted CA -> Open internal_CA object and navigate to Local Security Management Server -> Click Save As.. and save it on the client:

Just adding for anyone not knowing where to look for Servers that they are in objects.

the_rock

Thanks for sharing!

Are you a member of CheckMates?

Site to Site VPN with Dynamic IP