This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SergioG
Explorer
‎2022-05-25 01:15 AM

Site to site VPN behind NAT and public dynamic IP

Good morning.

First of all, i have been looking through the forums and i have not found a solution to this "issue". 

I'll try to explain the setup i need.

I'm working with the smart console (R81.10) of the Service Management in Quantum Smart-1 Cloud.

This setup includes one quantum spark 1800 as central Gateway and several quantum spark 1530 as satellite gateways. All of them with firmware version R80.20.40.

All of them are part of a star VPN community.

The 1800 has a public static ip address as WAN and everything configured on it works fine, for example, the remote access VPN.

Each 1500 is place behind NAT created by a different isp router. And here comes the issue: The public ip address of those routers is dynamic.

This is the schema of one of the pairs. The rest is the same but changing the range of internal network on the side of the 1500

1.png

My issue comes from creating site to site vpns in that star community with that dynamic public ip.

The 1800 is setup like this

2.png

That ip address is the public static address asigned in the previous image.

In the 1500s, if i choose the option Statically NATed IP, assuming the dynamic public ip is static, the s2s vpn works perfectly and i can comunicate hosts between internal networks, but, that's not what i need. I need it to work with dynamic public ip.

 

If you are so kind, could you tell me how i need to setup the 1500s in order to work like that but with public dynamic ip?

I have read every guide and every post that i could find about s2s vpn but i am unable to make it work.

I have to say that i am new to Checkpoint. Previously i had Sophos RED devices working in that same environment. The particularity of those devices is that they initiate the tunnel from behind the public dynamic ip, and they can be moved between sites without the need of more configuration.

 

If something isn't clear, please, ask me.

Thank you very much for your help.

 

 

Labels
0 Kudos
13 Replies
PhoneBoy
Admin
Admin
‎2022-05-25 10:20 AM

In general, you would need to use the "Dynamic IP" option in the General tab of the relevant gateway object and use certificates for Authentication.

0 Kudos
SergioG
Explorer
‎2022-05-25 11:36 AM
In response to PhoneBoy

Hello! Thanks for your answer.

I have tried to tick that checkbox in the checkpoint that i used for testing. It has some policy applied also.

I get a warning saying that "The portals on this gateway will reset" and another about "removing the selection of blades, reset traditional mode ike properties, reset vpn selection and removing nat definitions." If i accept anyway and try to accept and apply the changes to the gateway, i get the following error that doesn't allow me to procede and erases the changes made.

3.png

Could you give me some insight on why it says that? 

I'm out of the office right now, but tomorrow i'll add another of the 1500s to the service management server and try to activate daip with the default options.

I'll inform you if it works or not. 

Thank you!

0 Kudos
Wolfgang
Authority
Authority
‎2022-05-25 12:07 PM
In response to SergioG

Try to remove the gateway from your vpn community and save. Then configure dynamic IP.

0 Kudos
SergioG
Explorer
‎2022-05-27 12:01 AM
In response to Wolfgang

Good morning.

I have added 3 of the 1500 as new devices and, after activating the Dynamic ip option, the vpn tunnel works fine.

Once it is up, i can send pings from the satellite domain to the central domain. But, the pings going the opposite direction fail most of the time.

I have to setup the 1500 i was using for testing, and after removing every option that i had previously configured (vpn community, vpn domain, its own policy, its name from other policies, etc), i am still unable to change it to daip. The error is the same as the previous message:

3.png

Thanks

0 Kudos
orion_son30
Collaborator
‎2025-03-31 07:26 AM
In response to SergioG

Hi,

Did you ever has solved the issue? I'm having the exact same problem. 

 

Kind regards

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2025-04-01 05:10 AM
In response to orion_son30

This post is from 3 years ago ! I would suggest to reset the SMB to factory defaults and add it in SMS as with Dynamic ip

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
orion_son30
Collaborator
‎2025-04-01 05:17 AM
In response to G_W_Albrecht

Hi,

Yep, that was exactly what I did before asking here. No luck. Even when I've started from the beginning, including deleting the object from the Management Database, I still get the exact same error. That's why I was asking on this thread if anyone has solved this issue. 

By the way, the Management is a Smart-1 Cloud Environment. 

 

Regards

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2025-04-01 05:26 AM
In response to orion_son30

Best is to open SR# with CP TAC, they could be able to quickly resolve this in a short RAS !

My way of action would be:

- in Dashboard, remove SMB from VPN community

- in Dashboard, delete SMB from GWs

- in WebGUI, reset SMB to factory defaults

- in WebGUI, perform FTW for SMB

- in Dashboard, add SMB with Dynamic IP

- in Dashboard, add SMB to VPN community

Not to forget: DAIP GWs have to start the VPN communication

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
orion_son30
Collaborator
‎2025-04-03 05:46 AM
In response to G_W_Albrecht

Hi,

Yes, I've already tried to delete everything and start from scratch, but no luck. The issue remains, I still get the same message. 

Well, for know I've workaround the issue, using the Static Natted IP address on the Link Selection. Since this is a small site, we will try again to define the Gateway as DAIP when the end customer give us another maintenance window.

I will probably involving TAC for this,

Regards.

0 Kudos
CarlosCP
Employee
Employee
‎2025-04-01 10:01 AM

I think this is what you are looking for

 

CarlosCP_0-1743526842059.png

 

CarlosCP_1-1743526842061.png

for authentication use certificate since both gateways are Checkpoint. 

0 Kudos
orion_son30
Collaborator
‎2025-04-03 05:41 AM
In response to CarlosCP

Hi,

Nope. This is not an Externally Managed Gateway. This Gateway is Managed on this Smart-1 Cloud Management. 

Regards.

0 Kudos
RS_Daniel
Advisor
‎2025-04-03 06:14 AM
In response to orion_son30

Hello,

The same options that CarlosCP mention are available on gateways managed by the SMS. When you check the option Dynamic IP address on global properties the DAIP external interface is created by default.

Picture1.png

 With that config i was able to apply changes, maybe you added some other changes that caused the issue? 

0 Kudos
orion_son30
Collaborator
‎2025-04-04 01:50 AM
In response to RS_Daniel

Hi,

I know that on the interface level you have a check box to define the Dynamic IP. I'm aware of that. However, in an object directly managed on your Management server, that box is automatically picked up when you change the object General Properties to Dynamic IP. Which is not the case for the Externally Managed Check Point Gateway. 

I think this is clearly some kind of bug. Maybe just on Smart-1 Cloud environments.

Kind regards.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 07 Oct 2025 @ 09:30 AM (CEST)

    CheckMates Live Denmark!
    CheckMates Events