- CheckMates
- :
- Products
- :
- Quantum
- :
- SMB Gateways (Spark)
- :
- Re: Site to Site VPN with Dynamic IP
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Site to Site VPN with Dynamic IP
Dear Members,
Currently, I'm using a site-to-site VPN connection between a Checkpoint SMB 1880 and an ASA firewall. The Checkpoint has a Public IP address assigned, while the ASA side is using a dynamic IP address. Phase 1 and Phase 2 are correctly configured on both sides, but the tunnel is not coming up for Phase 1 and 2 (IKEv2).
Does someone have a configuration guide for this, or can you please help me with my issues?
Thanks.
PPH
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have one doc from another community post, not sure if it would apply 100% to you, but just curious, what do they see on ASA side? I attached the doc and also, below is simple debug you can do on cp and asa side.
Andy
CP side:
gw expert mode:
vpn debug trunc
vpn debug ikeon
-generate some traffic
vpn debug ikeoff
collect ike.elg and vpnd.elg files from $FWDIR/log dir on the fw
************************************
ASA debug
debug crypto condition peer x.x.x.x
debug crypto ikev1 200
debug crypto ipsec 200
to cancel all debugs-> undebug all
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear The Rock,
It's important to note that the SMB series is completely different from the Security Gateway Series. The tunnel for the VPN is now up, but traffic is not reaching the Checkpoint side. Ping and Telnet are not functioning.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you done any captures, checked the logs to see why its failing?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If this is locally managed SMB theVPN peer DAIP.pdf does not apply. Here is a document including SMB side config: sk109139: How to configure Site-to-Site VPN between Locally Managed Embedded GAIA appliance and Cent....
Who starts the VPN tunnel ? It has to be the ASA afaik. Also only certificate based VPN will work as stated above. See for centrally managed SMBs sk108600: VPN Site-to-Site with 3rd party and sk53980: How to set up a Site-to-Site VPN with a 3rd-party remote gateway
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are 100% right, that file I sent would not apply if its locally managed appliance.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know for Check Point to Check Point SMB to work in a dynamic scenario, the VPN has to be setup using certificates. I am not sure if the same applies for third party devices, but it could be your issue.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I do not have a configuration guide for third parties, but had a similar scenario with Mikrotik on the remote side. It is working ok. The first question:
are you using certificates for authentication between the peers? it is mandatory when one of peers the has DAIP.
1800 SMB is centrally managed or locally?
The basic flow for cert authentication is export de CA certificate from checkpoint and import it on cisco side. Then on cisco side create a csr, export it and sign it on CheckPoint side. Use this signed certificate on Cisco side for authentication with this VPN.
For 1800 centrally managed sk109139.
For 1800 locally managed sk112213
These two sk's show the configuration between checkpoint devices. But the same flow should work for third parties. In our case it worked. HTH
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello I have similar scenario : IPSec VPN tunnel from locally managed Spark 1530 with Dynamic IP to centrally managed Spark 2000 cluster. Cnetral management is Smart-1-cloudin this case. How do I get CA certificate from cloud management ?
Currently I have both sides managed locally, but need to migrate Spark 2000 cluster under cloud management. Is it even possible to keep this tunnel running ? Currently I am using PSK, which is possible on local management.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are using PSK, this will not change if you switch to SMP management as the current VPN tunnel configs will be kept unchanged.
Otherwise with Smart-1 Cloud - this may reset some config, see https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Check-Point-SmartCloud-Admin-...
PSK is not possible using the WebGUI, but you can always configure it using CLI.
As the SMP license is included in every SMB unit, this is the cheapest, but compared to local management much better solution imho.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, but I am not talking about SMP. We are talking about Smart-1-Cloud, hub site will be managed from the smart-1-cloud. Other Spark box with only dynamic IP will be still managed locally but there shouldnt be any problem there according to this guide sk109139. Problem is how to get CA certificate from management server( smart-1-cloud) in this case as per point 1 and 2 from sk109139. Thank you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Smart-1 Cloud is different - so sk109139 does not apply imho. I would open a SR# with CP TAC to get the necessary information.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank You, I will try to get some info from them.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would also do that, because you definitely dont want to start changing things on S1C cloud portal, as there is no typical ssh access.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Colleague of mine did configuration of SMBs managed by Smart-1 recently for a customer and found that most information is only available/valid for On-Prem SMS.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So this is guide how to do it from TAC.
To make the tunnel authentication certificate based we need to export the internal_CA from Servers -> Trusted CA -> Open internal_CA object and navigate to Local Security Management Server -> Click Save As.. and save it on the client:
Just adding for anyone not knowing where to look for Servers that they are in objects.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for sharing!
