Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Bernardes
Advisor
Advisor

VPN site-to-site with Remote Peer Dynamic IP

Hello Mates!

I have a question about site-to-site VPN tunnels.

When the remote peer is behind a carrier router with a dynamic IP that can change at any time, is the only solution to use the LSV profile?

Which gateway option in SmartConsole can we use in this case? Is LSV supported by other vendors or is it Check Point proprietary?

Thank you!

0 Kudos
17 Replies
Chris_Atkinson
Employee Employee
Employee

LSV isn't mandatory but the use of certificates for authentication is per:

"To establish VPN tunnel between a DAIP Gateway and a 3rd party appliance you need to use a certificate. For more information refer to: sk36968 - Cannot establish VPN tunnel with 3rd Party DAIP using Pre-shared Secret"

CCSM R77/R80/ELITE
PhoneBoy
Admin
Admin

The actual requirements are:

  • Defining the relevant object with the Dynamic IP checkbox
  • Using certificate-based authentication (PSK is significantly less secure in a DAIP environment)

LSV/SmartProvisioning is just a way to manage a large number of gateways.

Bernardes
Advisor
Advisor

Sorry for my beginner's question, but I have never needed to configure a tunnel with a remote peer using a dynamic IP from another vendor. So, does Check Point not support any way of establishing a tunnel with a remote peer with a dynamic IP? Does it have to be done via certificates? How do I handle the certificates on each side? Where do I specify in the community that certificates will be used for authentication?

0 Kudos
the_rock
Legend
Legend

I know it can be overwhelming, but its not so terrible, I done it couple of times. Just follow what @Chris_Atkinson gave, plus below. If you have trouble, we can do remote.

Andy

https://support.checkpoint.com/results/sk/sk36968

https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_SitetoSiteVPN_AdminGuide/htm...

Bernardes
Advisor
Advisor

Hello @the_rock !

Could you please validate if the process described in this PDF is correct for configuring a peer with a dynamic IP?

the_rock
Legend
Legend

Thats it!

the_rock
Legend
Legend

I actually have an excellent document my colleague made about this few years ago, but one you attached is as good, so I would definitely follow it...no reason it would not work.

As stated, happy to do remote if you get stuck, as I had done this before, so should not be an issue to make it work.

Let us know.

Cheers,

Andy

(1)
Bernardes
Advisor
Advisor

Hello @the_rock , thank you so much for the time you dedicated to confirming this and for your willingness to help!

I will schedule a maintenance window with the client to test this document in practice. If I get stuck at any point in the process, I'll let you know, and if everything goes well, I'll provide feedback with any necessary considerations.

0 Kudos
the_rock
Legend
Legend

Of course man, any time! Happy to help you 

the_rock
Legend
Legend

You got 2 excellent answers...certificate authentication is needed, as this would never work with PSK.

Nüüül
Advisor

Hi,

had a similar issue with an „interoperable device“ (ASA) and was able to update its ip via Dynamic DNS resolution and dbedit command. In the meanwhile it seems to be possible via API call too, so worth a try to Update the script.
 Is the Remote Peer a Check Point node? Managed by your Management? Then changing the ip might be a Bad idea. 

0 Kudos
Bernardes
Advisor
Advisor

The remote peer is a Socic Wall appliance. According to the documentation, it is possible to configure a peer with a dynamic IP without the need to use DDNS. My question is regarding how to perform this configuration, which is why I sent the document above to be validated for correctness.

0 Kudos
the_rock
Legend
Legend

Does not matter if interoperable device is sonic wall, super sonic wall, makes no difference lol. At the end of the day, what matters is that process is done with certificate authentication, exactly how is described in the document. If you follow it, Im 100% sure it will work.

Bernardes
Advisor
Advisor

Hello, my friend. Yesterday, I made the configurations as per the document, but initially, we encountered some authentication failure logs:

log1-fail.png

log2-fail.png

We suspected it might be related to the certificate or how we were trying to use it. After making some changes and attempts, we were able to resolve the issue, and authentication started working correctly. We could even see the tunnel up, but we couldn't pass traffic through it. Here's what we did: The client exported the SonicWall certificate in .p7b format.

cert.png

Using that certificate, I created a Trusted CA object in the SmartConsole.

Then, in the cluster>IPSec VPN object, I clicked on 'Add...' and entered the Nickname, selected the created CA, and clicked on 'Generate...'.

add.png

The request was created, and I clicked on 'View' and 'Save to File...'.

view.png

I sent the .req file back to the client, who signed it with their CA and returned a .crt file to me. With this file in hand, I clicked on 'Complete...', selected the file, and the process was completed, with the certificate now showing a 'Signed' status.

signedcrt.pngcomplete.png

signed.png

After this process, the authentication failure error stopped, and the tunnel came up. However, we couldn't identify the reason why traffic is not flowing through it.

logss1.pnglogss2.pnglogss3.pnglogss4.png

To test between Check Point appliances, I set up a lab to establish this tunnel with the client's appliance. In this case, my lab appliance is the one with a dynamic IP.

I only swapped the certificates between them, and I encountered the same authentication failure error. I looked at the guide on how to set up tunnels on Externally Managed Gateways based on certificates, but the process wasn't clear to me.

Could you please help with how can I do the certificates swap between these Check Point Appliances in this case?

0 Kudos
the_rock
Legend
Legend

Great job testing all this. By the way, I would check if securexl or vpn accel could be reason why trafficl fails. Maybe remote session would help when you are available.

Captures would also show us the traffic path.

Andy

0 Kudos
Bernardes
Advisor
Advisor

Hello Friends @the_rock @Chris_Atkinson @PhoneBoy @Nüüül , after several tests and checks, we finally managed to identify that there was an incorrect configuration on the Sonic Wall peer side.

After making the adjustment, the tunnels started functioning normally.

So, from the beginning, the Check Point side configurations were indeed correct.

Thank you very much for your assistance and availability as always!

the_rock
Legend
Legend

Of course mate, we will always do our best to help. Btw, Sonicwall...worked with it once, I honestly went to bed that night totally CONFUSED 🤣🤣

Anyway, glad its fixed, excellent job! 👍

Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events