This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
bbruelhart
Participant
‎2025-04-11 06:13 AM
Jump to solution

Site to Site VPN with DAIP Gateway and NAT hide not working

When trying to connect a DAIP VPN Gateway with NAT hide to the VPN VSX, no VPN tunnel can be established. In the files iked.elg and vpnd.elg I don't find a reason why this VPN tunnel cannot be established.

The Check Point TAC told us that this is not working due to the fact that NAT hide changes the source port IKE from 500/udp to a high port and also NAT-T from 4500/4500 to a high port. Still the destination port remains correct.

All other site to site VPN tunnels work fine. They all have a fix public IP address. Please help me to find the reason why this is not working.

Does anybody have experience with such a topology or even a setup which is working?

Thank you for your help.

1 Solution

Accepted Solutions
bbruelhart
Participant
‎2025-04-14 06:12 AM
In response to G_W_Albrecht
Jump to solution

I was able to configure both, the dynamic gateway and the center side VSX, both on the same management server.

After allowing the ports FW1_ica_pull, FW1_ica_push, FW1_ica_services and FW1_log and defining the dynamic gateway's MAC address I was able to configure the SIC securely.

After that I could pull the prepared policy from the management server and then the VPN tunnel and the prepared policy was working.

Thanks again to Andy, the legend, for his support.

View solution in original post

0 Kudos
10 Replies
the_rock
MVP Diamond
MVP Diamond
‎2025-04-11 06:22 AM
Jump to solution

Would you mind send debug files? Happy to review myself (you can also DM me, no problem). By the way, in my humble opinion, if dst port is unchanged, then you are fine, because source port literally would never matter, only destination one.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
bbruelhart
Participant
‎2025-04-11 07:01 AM
In response to the_rock
Jump to solution

Hello Andy

 

Thanks for your fast answer. That's what I thought as well that the source port would not matter but the engineers in the case insisted that it has to have the same source port for IKE and NAT-T. 
I will try to find the requested files and send them to you.

On the central side I have a cluster of Quantum 26000 with a VSX for VPN connection and on the remote side I have a Quantum Spark 1575. 

Should that topology work at all?

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-04-11 07:27 AM
In response to bbruelhart
Jump to solution

That should be fine. Is it star community? Honestly, I still have hard time with understanding how same source port would need to be the same, but maybe someone else can confirm for sure.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
_Val_
Admin
Admin
‎2025-04-14 12:21 AM
Jump to solution

Why do you use S2S for a DIAP GW? The reasonable choice would be to fall back to RAS VPN in this case. Did you try that?

0 Kudos
bbruelhart
Participant
‎2025-04-15 06:19 AM
In response to _Val_
Jump to solution

Hello 
Now, I am confused. How would I define a RAS VPN then?
What object would I define in the SmartConsole for die DIAP gateway?

Regards

Beat

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-04-14 01:18 AM
Jump to solution

Should work if the DAIP GW starts the VPN tunnel. DId read this sk167473: Dynamically Assigned IP Address (DAIP) Gateway FAQ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
bbruelhart
Participant
‎2025-04-14 06:12 AM
In response to G_W_Albrecht
Jump to solution

I was able to configure both, the dynamic gateway and the center side VSX, both on the same management server.

After allowing the ports FW1_ica_pull, FW1_ica_push, FW1_ica_services and FW1_log and defining the dynamic gateway's MAC address I was able to configure the SIC securely.

After that I could pull the prepared policy from the management server and then the VPN tunnel and the prepared policy was working.

Thanks again to Andy, the legend, for his support.

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-04-15 02:33 AM
In response to bbruelhart
Jump to solution

Why did you have to allow these ports ? Are they not covered by implied rules ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
bbruelhart
Participant
‎2025-04-15 06:34 AM
In response to G_W_Albrecht
Jump to solution

The DIAP gateway is in the Internet and needs to communicate with the Check Point management server which is behind the Internet firewall. So, for the SIC I allowed FW1_ica_service, FW1_ica_pull, FW1_ica_push, FW1_log and CPD to th public (NAT) object of the managment server. Only with the implied rules this did not work for me.
Is there another way to do that? 

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-04-15 07:55 AM
In response to bbruelhart
Jump to solution

I can not verify that - this had not been a need for non-VSX GAiA GWs / SMS with older SMBs. But as it is working that seems the correct way to do it 😉

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events