This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Smorales
Contributor
‎2025-11-25 08:44 AM
Jump to solution

VPN Site to Site with Third Party Gateway and using DynDNS

Hello, everyone.

 

Due to a requirement, I have been investigating how to generate a Site-to-Site VPN to a third-party gateway, but unlike other VPNs, the peer for this new VPN does not have a static public IP address. It uses DynDNS, which means it uses a domain for a public IP address that changes constantly.


Honestly, I don't see how this could work, since regardless of the type of VPN I use, whether it's domain/route-based or if I use Pre-Shared Keys or Certificates, they need a fixed public IP from the peer to establish IKE.


I was thinking of using the “Resolve from name” option in the interoperable object, but after doing some more research, I read that when it resolves and the domain changes IP, you need to manually change the object so that it resolves with the new IP, and this is not very efficient.

 

My question is: have you had any similar activity? Do you know of any documentation that relates to something like this?

 

Best regards!

Labels
0 Kudos
1 Solution

Accepted Solutions
Smorales
Contributor
‎2025-12-18 09:24 AM
Jump to solution

Hello team.

Sorry for the very late reply.

 

Yesterday, I was able to successfully set up the tunnel thanks to your comments and documentation.

 

Here is a summary of what I did:

 

1. I used a client CA instead of the Security Management CheckPoint and imported the certificate signed by that same CA on both sides of the VPN (Check Point and third-party peer).

2. The interoperable object was configured as mentioned by “emmap”: check the Dynamic Address checkbox. In the topology section, manually enter a “WAN” interface and select that it has a dynamic IP. In Ipsec VPN, enter the trusted CA certificate in the matching criteria and enter the DN that the other gateway entered in the DN section (following the steps in the document mentioned by the_rock).

3. Generate the VPN community with the corresponding encryption settings, permanent tunnels, VPN routing, advanced settings, or whatever else is considered necessary.

 

With these settings, the tunnel was set up without any problems.

I would like to point out that the part that was a little complicated at first was the interoperable object, which I consider to be the main thing for the VPN to work properly.

 

Once again, thank you very much for your comments and support, team.

 

Best regards.

View solution in original post

6 Replies
CaseyB
Advisor
‎2025-11-25 11:14 AM
Jump to solution

I have plenty of these working with Check Point devices, but I would imagine it would be similar for a third-party gateway if it was to work.

  • DAIP Gateway
  • Certificate authentication

The DAIP gateway will always be the one initiating the IPsec tunnel since the DAIP gateway is dynamic.

sk36968 

sk167473 

emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-11-25 10:00 PM
Jump to solution

When you create your Interop Device, tick the Dynamic Address box next to the Resolve from Name button. Then in IPSec VPN / Link Selection, select the Use DNS resolving radio button and put the FQDN in the Full hostname box. You will need to use Cert based auth for this to work. 

the_rock
MVP Diamond
MVP Diamond
‎2025-12-02 08:26 AM
Jump to solution

I actually saved the doc someone here in community made while back. Let mr see if I can find the post about it, but if not, will look for a document.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-02 08:27 AM
In response to the_rock
Jump to solution

@Smorales 

I believe this is it.

https://community.checkpoint.com/t5/Security-Gateways/VPN-site-to-site-with-Remote-Peer-Dynamic-IP/m...

Best,
Andy
"Have a great day and if its not, change it"
Smorales
Contributor
‎2025-12-18 09:24 AM
Jump to solution

Hello team.

Sorry for the very late reply.

 

Yesterday, I was able to successfully set up the tunnel thanks to your comments and documentation.

 

Here is a summary of what I did:

 

1. I used a client CA instead of the Security Management CheckPoint and imported the certificate signed by that same CA on both sides of the VPN (Check Point and third-party peer).

2. The interoperable object was configured as mentioned by “emmap”: check the Dynamic Address checkbox. In the topology section, manually enter a “WAN” interface and select that it has a dynamic IP. In Ipsec VPN, enter the trusted CA certificate in the matching criteria and enter the DN that the other gateway entered in the DN section (following the steps in the document mentioned by the_rock).

3. Generate the VPN community with the corresponding encryption settings, permanent tunnels, VPN routing, advanced settings, or whatever else is considered necessary.

 

With these settings, the tunnel was set up without any problems.

I would like to point out that the part that was a little complicated at first was the interoperable object, which I consider to be the main thing for the VPN to work properly.

 

Once again, thank you very much for your comments and support, team.

 

Best regards.

the_rock
MVP Diamond
MVP Diamond
‎2025-12-18 09:26 AM
In response to Smorales
Jump to solution

Great news!

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events