Solved: checkpoint 3600 query on ipsec vpn and ssl vpn

jijotms0511 · ‎2020-11-23

Hi Team,

I have a question on Checkpoint model 3600 ( Gaia R80.30)

Checkpoint Interface connected to the internet don't have a static ip and it is dynamic.

Need to achieve an Ipsec site to site VPN with fortinet firewall and also ssl vpn also should be configured with duo authentication. Is the above requirement possible with dynamic public ip for the checkpoint interface connected to internet?

Customer is planning of subscribing to one of the DynDNS service so that the CP firewall can keep updating the DynDNS with the latest IP that the firewall hold.

Also consider creating a CNAME for their company domain that points to the dyndns domain for VPN requirements.

Thanks,

Jijo Thomas

PhoneBoy · ‎2020-11-24

Mobile Access requires a fixed IP address to operate.
If you configure the gateway with a Dynamic IP address, Mobile Access Blade is not available (see screenshot below).

Even with traditional IPsec VPN, the gateway IP is ultimately what is resolved in the local configuration.
When that IP changes, your clients will not be able to connect.

If the IP rarely changes, you can configure the gateway with a static IP and update the configuration when the local IP changes.
However, this will require manual intervention when the IP does change.

The Odo solution I mentioned previously has none of these issues.
An on-premise agent runs in an on-premise Docker container that initiates an outbound connection with the Check Point cloud.
Access to on-premise resources is mediated through a controller that operates in the cloud, where your end users connect.
No inbound access is needed (thus no need for remote users to know your local IP).

If you're interested in the above solution, I recommend connecting with your local Check Point office.

View solution in original post

PhoneBoy · ‎2020-11-23

Only way to do Site2Site VPN with a dynamic IP is with certificate-based authentication.
Not sure how Mobile Access Blade would handle the dynamic IP.
It might be better to use something like our new Corporate Access solution (Formerly known as Odo), which will definitely work with a dynamic IP: https://www.checkpoint.com/odo/

jijotms0511 · ‎2020-11-23

Thank you so much..let me check on the same.

jijotms0511 · ‎2020-11-24

Hi , the plan for the user us like below for mobile users with dynamic ip

User -> vpn.customerdomain.com

vpn.customerdomain.com CNAME to XX.dyndns.org

XX.dyndns.org is on dynamic IP that CP will keep updating based on it WAN IP.

Please help to confirm

Thanks,

PhoneBoy · ‎2020-11-24

Mobile Access requires a fixed IP address to operate.
If you configure the gateway with a Dynamic IP address, Mobile Access Blade is not available (see screenshot below).

Even with traditional IPsec VPN, the gateway IP is ultimately what is resolved in the local configuration.
When that IP changes, your clients will not be able to connect.

If the IP rarely changes, you can configure the gateway with a static IP and update the configuration when the local IP changes.
However, this will require manual intervention when the IP does change.

The Odo solution I mentioned previously has none of these issues.
An on-premise agent runs in an on-premise Docker container that initiates an outbound connection with the Check Point cloud.
Access to on-premise resources is mediated through a controller that operates in the cloud, where your end users connect.
No inbound access is needed (thus no need for remote users to know your local IP).

If you're interested in the above solution, I recommend connecting with your local Check Point office.

View solution in original post

jijotms0511 · ‎2020-11-24

Thank you so much for the explanation!

checkpoint 3600 query on ipsec vpn and ssl vpn

How to activate license in New check point

MFA and secondary connect / Multi sites

Change management interface from access to trunk o...

Deploy Checkpoint HA in different availability zon...

message log : Global param: operation failed: Unkn...