This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
pyiephyohtay
Contributor
‎2023-09-11 06:23 AM

Site to Site VPN with Dynamic IP

Dear Members,

 

Currently, I'm using a site-to-site VPN connection between a Checkpoint SMB 1880 and an ASA firewall. The Checkpoint has a Public IP address assigned, while the ASA side is using a dynamic IP address. Phase 1 and Phase 2 are correctly configured on both sides, but the tunnel is not coming up for Phase 1 and 2 (IKEv2).

Does someone have a configuration guide for this, or can you please help me with my issues?

Thanks.

PPH

0 Kudos
7 Replies
the_rock
Legend
Legend
‎2023-09-11 06:35 AM

I have one doc from another community post, not sure if it would apply 100% to you, but just curious, what do they see on ASA side? I attached the doc and also, below is simple debug you can do on cp and asa side.

Andy

CP side:

gw expert mode:

vpn debug trunc

vpn debug ikeon

-generate some traffic

vpn debug ikeoff

collect ike.elg and vpnd.elg files from $FWDIR/log dir on the fw

************************************

ASA debug

debug crypto condition peer x.x.x.x

debug crypto ikev1 200

debug crypto ipsec 200

to cancel all debugs-> undebug all

 

Preview file
369 KB
pyiephyohtay
Contributor
‎2023-09-13 03:34 AM
In response to the_rock

Dear The Rock,

It's important to note that the SMB series is completely different from the Security Gateway Series. The tunnel for the VPN is now up, but traffic is not reaching the Checkpoint side. Ping and Telnet are not functioning. 

0 Kudos
the_rock
Legend
Legend
‎2023-09-13 05:44 AM
In response to pyiephyohtay

Have you done any captures, checked the logs to see why its failing?

Andy

0 Kudos
G_W_Albrecht
Legend
Legend
‎2023-09-13 06:21 AM
In response to pyiephyohtay

If this is locally managed SMB theVPN peer DAIP.pdf does not apply. Here is a document including SMB side config: sk109139: How to configure Site-to-Site VPN between Locally Managed Embedded GAIA appliance and Cent....

Who starts the VPN tunnel ? It has to be the ASA afaik. Also only certificate based VPN will work as stated above. See for centrally managed SMBs sk108600: VPN Site-to-Site with 3rd party and sk53980: How to set up a Site-to-Site VPN with a 3rd-party remote gateway

sk98604: No valid SA when creating VPN tunnel between locally managed SMB appliance and 3rd party ga...

CCSE CCTE CCSM SMB Specialist
the_rock
Legend
Legend
‎2023-09-13 06:44 AM
In response to G_W_Albrecht

You are 100% right, that file I sent would not apply if its locally managed appliance.

Andy

0 Kudos
CaseyB
Collaborator
‎2023-09-13 06:04 AM

I know for Check Point to Check Point SMB to work in a dynamic scenario, the VPN has to be setup using certificates. I am not sure if the same applies for third party devices, but it could be your issue. 

RS_Daniel
Advisor
‎2023-09-13 08:26 AM

Hello,

I do not have a configuration guide for third parties, but had a similar scenario with Mikrotik on the remote side. It is working ok. The first question:

are you using certificates for authentication between the peers? it is mandatory when one of peers the has DAIP.

1800 SMB is centrally managed or locally?

The basic flow for cert authentication is export de CA certificate from checkpoint and import it on cisco side. Then on cisco side create a csr, export it and sign it on CheckPoint side. Use this signed certificate on Cisco side for authentication with this VPN.

For 1800 centrally managed sk109139.

For 1800 locally managed sk112213

These two sk's show the configuration between checkpoint devices. But the same flow should work for third parties. In our case it worked. HTH

Regards

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events