Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
jijotms0511
Contributor

checkpoint 3600 query on ipsec vpn and ssl vpn

Jump to solution

Hi Team,

I have a question on Checkpoint model 3600 ( Gaia R80.30)

Checkpoint Interface connected to the internet don't have a static ip and it is dynamic.

Need to achieve an Ipsec site to site VPN with fortinet firewall and also ssl vpn also should be configured with duo authentication. Is the above requirement possible with dynamic public ip for the checkpoint interface connected to internet?

Customer is planning of  subscribing to one of the DynDNS service so that the CP firewall can keep updating the DynDNS with the latest IP that the firewall hold.

Also consider creating a CNAME for their company domain that points to the dyndns domain for VPN requirements. 

Thanks,

Jijo Thomas

 

 

 

 

0 Kudos
Reply
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Mobile Access requires a fixed IP address to operate.
If you configure the gateway with a Dynamic IP address, Mobile Access Blade is not available (see screenshot below).

Screen Shot 2020-11-24 at 11.42.24 AM.png

Even with traditional IPsec VPN, the gateway IP is ultimately what is resolved in the local configuration.
When that IP changes, your clients will not be able to connect.

If the IP rarely changes, you can configure the gateway with a static IP and update the configuration when the local IP changes.
However, this will require manual intervention when the IP does change.

The Odo solution I mentioned previously has none of these issues.
An on-premise agent runs in an on-premise Docker container that initiates an outbound connection with the Check Point cloud.
Access to on-premise resources is mediated through a controller that operates in the cloud, where your end users connect.
No inbound access is needed (thus no need for remote users to know your local IP).

Screen Shot 2020-11-24 at 11.48.00 AM.png

If you're interested in the above solution, I recommend connecting with your local Check Point office.

View solution in original post

5 Replies
PhoneBoy
Admin
Admin

Only way to do Site2Site VPN with a dynamic IP is with certificate-based authentication.
Not sure how Mobile Access Blade would handle the dynamic IP.
It might be better to use something like our new Corporate Access solution (Formerly known as Odo), which will definitely work with a dynamic IP: https://www.checkpoint.com/odo/

jijotms0511
Contributor

Thank you so much..let me check on the same. 

 

0 Kudos
Reply
jijotms0511
Contributor

 

Hi , the plan for the user us like below for mobile users with dynamic ip

User -> vpn.customerdomain.com

vpn.customerdomain.com CNAME to XX.dyndns.org

XX.dyndns.org is on dynamic IP that CP will keep updating based on it WAN IP.

Please help to confirm

Thanks,

0 Kudos
Reply
PhoneBoy
Admin
Admin

Mobile Access requires a fixed IP address to operate.
If you configure the gateway with a Dynamic IP address, Mobile Access Blade is not available (see screenshot below).

Screen Shot 2020-11-24 at 11.42.24 AM.png

Even with traditional IPsec VPN, the gateway IP is ultimately what is resolved in the local configuration.
When that IP changes, your clients will not be able to connect.

If the IP rarely changes, you can configure the gateway with a static IP and update the configuration when the local IP changes.
However, this will require manual intervention when the IP does change.

The Odo solution I mentioned previously has none of these issues.
An on-premise agent runs in an on-premise Docker container that initiates an outbound connection with the Check Point cloud.
Access to on-premise resources is mediated through a controller that operates in the cloud, where your end users connect.
No inbound access is needed (thus no need for remote users to know your local IP).

Screen Shot 2020-11-24 at 11.48.00 AM.png

If you're interested in the above solution, I recommend connecting with your local Check Point office.

View solution in original post

jijotms0511
Contributor

Thank you so much for the explanation!

0 Kudos
Reply