Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SergioG
Explorer

Site to site VPN behind NAT and public dynamic IP

Good morning.

First of all, i have been looking through the forums and i have not found a solution to this "issue". 

I'll try to explain the setup i need.

I'm working with the smart console (R81.10) of the Service Management in Quantum Smart-1 Cloud.

This setup includes one quantum spark 1800 as central Gateway and several quantum spark 1530 as satellite gateways. All of them with firmware version R80.20.40.

All of them are part of a star VPN community.

The 1800 has a public static ip address as WAN and everything configured on it works fine, for example, the remote access VPN.

Each 1500 is place behind NAT created by a different isp router. And here comes the issue: The public ip address of those routers is dynamic.

This is the schema of one of the pairs. The rest is the same but changing the range of internal network on the side of the 1500

1.png

My issue comes from creating site to site vpns in that star community with that dynamic public ip.

The 1800 is setup like this

2.png

That ip address is the public static address asigned in the previous image.

In the 1500s, if i choose the option Statically NATed IP, assuming the dynamic public ip is static, the s2s vpn works perfectly and i can comunicate hosts between internal networks, but, that's not what i need. I need it to work with dynamic public ip.

 

If you are so kind, could you tell me how i need to setup the 1500s in order to work like that but with public dynamic ip?

I have read every guide and every post that i could find about s2s vpn but i am unable to make it work.

I have to say that i am new to Checkpoint. Previously i had Sophos RED devices working in that same environment. The particularity of those devices is that they initiate the tunnel from behind the public dynamic ip, and they can be moved between sites without the need of more configuration.

 

If something isn't clear, please, ask me.

Thank you very much for your help.

 

 

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

In general, you would need to use the "Dynamic IP" option in the General tab of the relevant gateway object and use certificates for Authentication.

0 Kudos
SergioG
Explorer

Hello! Thanks for your answer.

I have tried to tick that checkbox in the checkpoint that i used for testing. It has some policy applied also.

I get a warning saying that "The portals on this gateway will reset" and another about "removing the selection of blades, reset traditional mode ike properties, reset vpn selection and removing nat definitions." If i accept anyway and try to accept and apply the changes to the gateway, i get the following error that doesn't allow me to procede and erases the changes made.

3.png

Could you give me some insight on why it says that? 

I'm out of the office right now, but tomorrow i'll add another of the 1500s to the service management server and try to activate daip with the default options.

I'll inform you if it works or not. 

Thank you!

0 Kudos
Wolfgang
Mentor
Mentor

Try to remove the gateway from your vpn community and save. Then configure dynamic IP.

0 Kudos
SergioG
Explorer

Good morning.

I have added 3 of the 1500 as new devices and, after activating the Dynamic ip option, the vpn tunnel works fine.

Once it is up, i can send pings from the satellite domain to the central domain. But, the pings going the opposite direction fail most of the time.

I have to setup the 1500 i was using for testing, and after removing every option that i had previously configured (vpn community, vpn domain, its own policy, its name from other policies, etc), i am still unable to change it to daip. The error is the same as the previous message:

3.png

Thanks

0 Kudos