- Products
- Learn
- Local User Groups
- Partners
- More
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
Join our TechTalk: Malware 2021 to Present Day
Building a Preventative Cyber Program
Be a CloudMate!
Check out our cloud security exclusive space!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Good morning.
First of all, i have been looking through the forums and i have not found a solution to this "issue".
I'll try to explain the setup i need.
I'm working with the smart console (R81.10) of the Service Management in Quantum Smart-1 Cloud.
This setup includes one quantum spark 1800 as central Gateway and several quantum spark 1530 as satellite gateways. All of them with firmware version R80.20.40.
All of them are part of a star VPN community.
The 1800 has a public static ip address as WAN and everything configured on it works fine, for example, the remote access VPN.
Each 1500 is place behind NAT created by a different isp router. And here comes the issue: The public ip address of those routers is dynamic.
This is the schema of one of the pairs. The rest is the same but changing the range of internal network on the side of the 1500
My issue comes from creating site to site vpns in that star community with that dynamic public ip.
The 1800 is setup like this
That ip address is the public static address asigned in the previous image.
In the 1500s, if i choose the option Statically NATed IP, assuming the dynamic public ip is static, the s2s vpn works perfectly and i can comunicate hosts between internal networks, but, that's not what i need. I need it to work with dynamic public ip.
If you are so kind, could you tell me how i need to setup the 1500s in order to work like that but with public dynamic ip?
I have read every guide and every post that i could find about s2s vpn but i am unable to make it work.
I have to say that i am new to Checkpoint. Previously i had Sophos RED devices working in that same environment. The particularity of those devices is that they initiate the tunnel from behind the public dynamic ip, and they can be moved between sites without the need of more configuration.
If something isn't clear, please, ask me.
Thank you very much for your help.
In general, you would need to use the "Dynamic IP" option in the General tab of the relevant gateway object and use certificates for Authentication.
Hello! Thanks for your answer.
I have tried to tick that checkbox in the checkpoint that i used for testing. It has some policy applied also.
I get a warning saying that "The portals on this gateway will reset" and another about "removing the selection of blades, reset traditional mode ike properties, reset vpn selection and removing nat definitions." If i accept anyway and try to accept and apply the changes to the gateway, i get the following error that doesn't allow me to procede and erases the changes made.
Could you give me some insight on why it says that?
I'm out of the office right now, but tomorrow i'll add another of the 1500s to the service management server and try to activate daip with the default options.
I'll inform you if it works or not.
Thank you!
Try to remove the gateway from your vpn community and save. Then configure dynamic IP.
Good morning.
I have added 3 of the 1500 as new devices and, after activating the Dynamic ip option, the vpn tunnel works fine.
Once it is up, i can send pings from the satellite domain to the central domain. But, the pings going the opposite direction fail most of the time.
I have to setup the 1500 i was using for testing, and after removing every option that i had previously configured (vpn community, vpn domain, its own policy, its name from other policies, etc), i am still unable to change it to daip. The error is the same as the previous message:
Thanks
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY