Re: VPN site-to-site with Remote Peer Dynamic IP

Bernardes · ‎2023-05-11

Hello Mates!

I have a question about site-to-site VPN tunnels.

When the remote peer is behind a carrier router with a dynamic IP that can change at any time, is the only solution to use the LSV profile?

Which gateway option in SmartConsole can we use in this case? Is LSV supported by other vendors or is it Check Point proprietary?

Thank you!

Chris_Atkinson · ‎2023-05-11

LSV isn't mandatory but the use of certificates for authentication is per:

"To establish VPN tunnel between a DAIP Gateway and a 3rd party appliance you need to use a certificate. For more information refer to: sk36968 - Cannot establish VPN tunnel with 3rd Party DAIP using Pre-shared Secret"

CCSM R77/R80/ELITE

PhoneBoy · ‎2023-05-11

The actual requirements are:

Defining the relevant object with the Dynamic IP checkbox
Using certificate-based authentication (PSK is significantly less secure in a DAIP environment)

LSV/SmartProvisioning is just a way to manage a large number of gateways.

Bernardes · ‎2023-05-12

Sorry for my beginner's question, but I have never needed to configure a tunnel with a remote peer using a dynamic IP from another vendor. So, does Check Point not support any way of establishing a tunnel with a remote peer with a dynamic IP? Does it have to be done via certificates? How do I handle the certificates on each side? Where do I specify in the community that certificates will be used for authentication?

the_rock · ‎2023-05-12

I know it can be overwhelming, but its not so terrible, I done it couple of times. Just follow what @Chris_Atkinson gave, plus below. If you have trouble, we can do remote.

Andy

https://support.checkpoint.com/results/sk/sk36968

https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_SitetoSiteVPN_AdminGuide/htm...

Best,
Andy

Bernardes · ‎2023-05-13

Hello @the_rock !

Could you please validate if the process described in this PDF is correct for configuring a peer with a dynamic IP?

the_rock · ‎2023-05-13

Thats it!

Best,
Andy

the_rock · ‎2023-05-14

I actually have an excellent document my colleague made about this few years ago, but one you attached is as good, so I would definitely follow it...no reason it would not work.

As stated, happy to do remote if you get stuck, as I had done this before, so should not be an issue to make it work.

Let us know.

Cheers,

Andy

Best,
Andy

Bernardes · ‎2023-05-15

Hello @the_rock , thank you so much for the time you dedicated to confirming this and for your willingness to help!

I will schedule a maintenance window with the client to test this document in practice. If I get stuck at any point in the process, I'll let you know, and if everything goes well, I'll provide feedback with any necessary considerations.

the_rock · ‎2023-05-15

Of course man, any time! Happy to help you ☕

Best,
Andy

the_rock · ‎2023-05-11

You got 2 excellent answers...certificate authentication is needed, as this would never work with PSK.

Best,
Andy

Nüüül · ‎2023-05-14

Hi,

had a similar issue with an „interoperable device“ (ASA) and was able to update its ip via Dynamic DNS resolution and dbedit command. In the meanwhile it seems to be possible via API call too, so worth a try to Update the script.
Is the Remote Peer a Check Point node? Managed by your Management? Then changing the ip might be a Bad idea.

Bernardes · ‎2023-05-15

The remote peer is a Socic Wall appliance. According to the documentation, it is possible to configure a peer with a dynamic IP without the need to use DDNS. My question is regarding how to perform this configuration, which is why I sent the document above to be validated for correctness.

the_rock · ‎2023-05-15

Does not matter if interoperable device is sonic wall, super sonic wall, makes no difference lol. At the end of the day, what matters is that process is done with certificate authentication, exactly how is described in the document. If you follow it, Im 100% sure it will work.

Best,
Andy

Bernardes · ‎2023-05-19

Hello, my friend. Yesterday, I made the configurations as per the document, but initially, we encountered some authentication failure logs:

We suspected it might be related to the certificate or how we were trying to use it. After making some changes and attempts, we were able to resolve the issue, and authentication started working correctly. We could even see the tunnel up, but we couldn't pass traffic through it. Here's what we did: The client exported the SonicWall certificate in .p7b format.

Using that certificate, I created a Trusted CA object in the SmartConsole.

Then, in the cluster>IPSec VPN object, I clicked on 'Add...' and entered the Nickname, selected the created CA, and clicked on 'Generate...'.

The request was created, and I clicked on 'View' and 'Save to File...'.

I sent the .req file back to the client, who signed it with their CA and returned a .crt file to me. With this file in hand, I clicked on 'Complete...', selected the file, and the process was completed, with the certificate now showing a 'Signed' status.

After this process, the authentication failure error stopped, and the tunnel came up. However, we couldn't identify the reason why traffic is not flowing through it.

To test between Check Point appliances, I set up a lab to establish this tunnel with the client's appliance. In this case, my lab appliance is the one with a dynamic IP.

I only swapped the certificates between them, and I encountered the same authentication failure error. I looked at the guide on how to set up tunnels on Externally Managed Gateways based on certificates, but the process wasn't clear to me.

Could you please help with how can I do the certificates swap between these Check Point Appliances in this case?

the_rock · ‎2023-05-19

Great job testing all this. By the way, I would check if securexl or vpn accel could be reason why trafficl fails. Maybe remote session would help when you are available.

Captures would also show us the traffic path.

Andy

Best,
Andy

Bernardes · ‎2023-05-24

Hello Friends @the_rock @Chris_Atkinson @PhoneBoy @Nüüül , after several tests and checks, we finally managed to identify that there was an incorrect configuration on the Sonic Wall peer side.

After making the adjustment, the tunnels started functioning normally.

So, from the beginning, the Check Point side configurations were indeed correct.

Thank you very much for your assistance and availability as always!

the_rock · ‎2023-05-24

Of course mate, we will always do our best to help. Btw, Sonicwall...worked with it once, I honestly went to bed that night totally CONFUSED 🤣🤣

Anyway, glad its fixed, excellent job! 👍

Andy

Best,
Andy

Are you a member of CheckMates?

VPN site-to-site with Remote Peer Dynamic IP