This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
DPi
Participant
‎2019-05-30 07:30 AM

VPN configuration for locally managed 1400 appliance with LTE USB modem

Hi everyone, 

I'm in the middle of a test and my final objective is creating a VPN connection between my Central office and a branch office that has a 1400 series applaince that's using a USB LTE modem.

Currently I'm using a Huawei E3372 LTE USB stick modem. 
According to sk92809, I've upgraded my appliance to R77.20.80 version. 

I'm able to have internet connection, but have no idea how to configure a VPN via DAIP.

Is there anything I should change from the modem (NAT, ports) ?
Is there documentation?
Has anyone experience in this kind of setup?

Thanks in advance for your help

0 Kudos
6 Replies
Sal_Previtera
Collaborator
‎2019-05-30 06:49 PM

You will need to use a certificate, since it is a DAIP device...

The certificate need to be generated by the CP Management server  in your Central office.... or by 3rd party CA.

 

This is a good starting point...

https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Where-is-1430-Appliance-Locally-M...

 

0 Kudos
DPi
Participant
‎2019-05-31 03:28 AM
In response to Sal_Previtera

Dear Sal, 

 

Thank you for the hint.

it's clear that I have to use certificates because of the DAIP in order to setup a VPN.

What if I would like to manage this appliance with my Central office MGMT? Is there any way I can manage this DAIP device?

Should I first setup a VPN connection and then SIC connection?
If this doesn't work, should I make public the MGMT ports (via NAT rules) that manage SIC connections?

Thanks in advance for your reply. 



0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2019-05-31 07:07 AM
In response to Sal_Previtera

Davide,

Managing via SMS is the best and simple. Create your gateway as DAIP gateway in your SMS, create your rules and VPN rules as with normal gateways and add your DAIP gateway to the relevant VPN community.
Your SMS should be accessible directly from the internet or via NAT. The control connections are excluded from VPN by default. So you can establish SIC and install policy without having VPN running.
On your 14xx appliance you must configure these appliance as central managed and connect to the external IP of you SMS.

Wolfgang

0 Kudos
Zach_S
Employee
Employee
‎2019-06-01 07:26 PM

In addition to the tips provided, e.g.:

If the gateway is not managed by the same SMS as your 1400 (e.g. if the 1400 is locally managed):

a) You will need to create CSR on the 1400 and sign it from the ICA of the SMS. You will also need a static NAT on the SMS so that the 1400 can fetch cerificate revocation list from the SMS ICA, or disable CRL retreival on the 1400. 

b) In SmartConsole define certificate matching criteria on the object representing the 1400 series gateway, so that the 1400 can be identified by it's certificate. 

c) On the 1400 series gateway you must define the tunnel as a permanent tunnel so that it will always initiate the tunnel. otherwise you sometimes will be unable to bring up the tunnel from the central gateway (gateway will not know which IP to connect to).

If the 1400 series gateway is centrally managed, certificate will be used automatically, and you just need to define the VPN community for permanent tunnels, otherwise you sometimes will be unable to bring up the tunnel from the central gateway side (gateway will not know which IP to connect to). 

And of course, VPN encyption domains need to be created for local/remote. The VPN encryption domain should be what networks exist behind the local gateway in question, which should be allowed to talk to the subnets configured on the remote side. You can easily base it on network topology if both peers are centrally managed and network topology is defined, otherwise you can use a network object or create group of networks. 

Standard firewall rules to allow connections over the tunnel, on central side populating VPN community column of the rulebase is not necessary unless using traditional mode VPN (most likely you are not). 

 

 

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2019-06-04 06:16 AM
In response to Zach_S

According to sk105380in centrally managed Small Office Appliances, VPN Traditional Mode is not supported. 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2019-06-04 06:27 AM
In response to Zach_S

According to sk105380in centrally managed Small Office Appliances, VPN Traditional Mode is not supported.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events