This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
jijotms0511
Contributor
‎2020-11-23 07:05 PM

checkpoint 3600 query on ipsec vpn and ssl vpn

Jump to solution

Hi Team,

I have a question on Checkpoint model 3600 ( Gaia R80.30)

Checkpoint Interface connected to the internet don't have a static ip and it is dynamic.

Need to achieve an Ipsec site to site VPN with fortinet firewall and also ssl vpn also should be configured with duo authentication. Is the above requirement possible with dynamic public ip for the checkpoint interface connected to internet?

Customer is planning of  subscribing to one of the DynDNS service so that the CP firewall can keep updating the DynDNS with the latest IP that the firewall hold.

Also consider creating a CNAME for their company domain that points to the dyndns domain for VPN requirements. 

Thanks,

Jijo Thomas

 

 

 

 

0 Kudos
Reply
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2020-11-24 11:54 AM
In response to jijotms0511

Jump to solution

Mobile Access requires a fixed IP address to operate.
If you configure the gateway with a Dynamic IP address, Mobile Access Blade is not available (see screenshot below).

Screen Shot 2020-11-24 at 11.42.24 AM.png

Even with traditional IPsec VPN, the gateway IP is ultimately what is resolved in the local configuration.
When that IP changes, your clients will not be able to connect.

If the IP rarely changes, you can configure the gateway with a static IP and update the configuration when the local IP changes.
However, this will require manual intervention when the IP does change.

The Odo solution I mentioned previously has none of these issues.
An on-premise agent runs in an on-premise Docker container that initiates an outbound connection with the Check Point cloud.
Access to on-premise resources is mediated through a controller that operates in the cloud, where your end users connect.
No inbound access is needed (thus no need for remote users to know your local IP).

Screen Shot 2020-11-24 at 11.48.00 AM.png

If you're interested in the above solution, I recommend connecting with your local Check Point office.

View solution in original post

Reply
5 Replies
PhoneBoy
Admin
Admin
‎2020-11-23 08:47 PM

Jump to solution

Only way to do Site2Site VPN with a dynamic IP is with certificate-based authentication.
Not sure how Mobile Access Blade would handle the dynamic IP.
It might be better to use something like our new Corporate Access solution (Formerly known as Odo), which will definitely work with a dynamic IP: https://www.checkpoint.com/odo/

Reply
jijotms0511
Contributor
‎2020-11-23 09:06 PM
In response to PhoneBoy

Jump to solution

Thank you so much..let me check on the same. 

 

0 Kudos
Reply
jijotms0511
Contributor
‎2020-11-24 01:56 AM
In response to PhoneBoy

Jump to solution

 

Hi , the plan for the user us like below for mobile users with dynamic ip

User -> vpn.customerdomain.com

vpn.customerdomain.com CNAME to XX.dyndns.org

XX.dyndns.org is on dynamic IP that CP will keep updating based on it WAN IP.

Please help to confirm

Thanks,

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2020-11-24 11:54 AM
In response to jijotms0511

Jump to solution

Mobile Access requires a fixed IP address to operate.
If you configure the gateway with a Dynamic IP address, Mobile Access Blade is not available (see screenshot below).

Screen Shot 2020-11-24 at 11.42.24 AM.png

Even with traditional IPsec VPN, the gateway IP is ultimately what is resolved in the local configuration.
When that IP changes, your clients will not be able to connect.

If the IP rarely changes, you can configure the gateway with a static IP and update the configuration when the local IP changes.
However, this will require manual intervention when the IP does change.

The Odo solution I mentioned previously has none of these issues.
An on-premise agent runs in an on-premise Docker container that initiates an outbound connection with the Check Point cloud.
Access to on-premise resources is mediated through a controller that operates in the cloud, where your end users connect.
No inbound access is needed (thus no need for remote users to know your local IP).

Screen Shot 2020-11-24 at 11.48.00 AM.png

If you're interested in the above solution, I recommend connecting with your local Check Point office.

View solution in original post

Reply
jijotms0511
Contributor
‎2020-11-24 10:08 PM
In response to PhoneBoy

Jump to solution

Thank you so much for the explanation!

0 Kudos
Reply