AnsweredAssumed Answered

Large scale VPN with Dynamically Assigned IP Gateways (DAIP)

Question asked by 2801a434-e961-416d-87f0-a70c4bc3f259 on Jul 25, 2018
Latest reply on Jul 26, 2018 by Maarten Sjouw

Does anyone have experience with deploying Check Point gateways in a large-scale hub-and-spoke setup with dynamically assigned IP gateways?


We've got a case where we have two corporate offices A and B and 49 branch offices to be connected. Some of the 49 are connected to A and some to B. There are existing network links between A-B. All the branches have DSL-type Internet connections with dynamically assigned IPs on ISP-provided routers. Branch firewalls will be behind these routers through NAT. We're looking at inter-connecting the branches to the two offices. There will be main Check Point gateways with fixed IPs at the two offices A and B with management appliances. Users in branches access internet via their branch connections, not via head office. I got a couple of questions:


1) Will DAIP and LSV features of Check Point work correctly in this scenario?


2) Are there any guides or references to deploy such a system?


3) Reading the VPN Admin Guide, Page 119. How does that work? Is there some Dynamic DNS service involved here?


Use DNS Resolving: This method is required for Dynamically Assigned IP (DAIP) Security Gateways. A VPN tunnel to a DAIP Security Gateway can only be initiated using DNS resolving since the IP address of the DAIP Security Gateway cannot be known in advance. If using this method for a non-DAIP Security Gateway, the IP address must be defined in the Topology tab. Without DNS resolving, a DAIP Security Gateway can only initiate the first connection between two peers. The second connection can be initiated by the peer Security Gateway as long as the IP address of the DAIP Security Gateway has not changed.


I was unable to find much info on either DAIP or LSV unfortunately apart from the admin guides.