Good morning.
First of all, i have been looking through the forums and i have not found a solution to this "issue".
I'll try to explain the setup i need.
I'm working with the smart console (R81.10) of the Service Management in Quantum Smart-1 Cloud.
This setup includes one quantum spark 1800 as central Gateway and several quantum spark 1530 as satellite gateways. All of them with firmware version R80.20.40.
All of them are part of a star VPN community.
The 1800 has a public static ip address as WAN and everything configured on it works fine, for example, the remote access VPN.
Each 1500 is place behind NAT created by a different isp router. And here comes the issue: The public ip address of those routers is dynamic.
This is the schema of one of the pairs. The rest is the same but changing the range of internal network on the side of the 1500
My issue comes from creating site to site vpns in that star community with that dynamic public ip.
The 1800 is setup like this
That ip address is the public static address asigned in the previous image.
In the 1500s, if i choose the option Statically NATed IP, assuming the dynamic public ip is static, the s2s vpn works perfectly and i can comunicate hosts between internal networks, but, that's not what i need. I need it to work with dynamic public ip.
If you are so kind, could you tell me how i need to setup the 1500s in order to work like that but with public dynamic ip?
I have read every guide and every post that i could find about s2s vpn but i am unable to make it work.
I have to say that i am new to Checkpoint. Previously i had Sophos RED devices working in that same environment. The particularity of those devices is that they initiate the tunnel from behind the public dynamic ip, and they can be moved between sites without the need of more configuration.
If something isn't clear, please, ask me.
Thank you very much for your help.
Hello! Thanks for your answer.
I have tried to tick that checkbox in the checkpoint that i used for testing. It has some policy applied also.
I get a warning saying that "The portals on this gateway will reset" and another about "removing the selection of blades, reset traditional mode ike properties, reset vpn selection and removing nat definitions." If i accept anyway and try to accept and apply the changes to the gateway, i get the following error that doesn't allow me to procede and erases the changes made.
Could you give me some insight on why it says that?
I'm out of the office right now, but tomorrow i'll add another of the 1500s to the service management server and try to activate daip with the default options.
I'll inform you if it works or not.
Thank you!
Good morning.
I have added 3 of the 1500 as new devices and, after activating the Dynamic ip option, the vpn tunnel works fine.
Once it is up, i can send pings from the satellite domain to the central domain. But, the pings going the opposite direction fail most of the time.
I have to setup the 1500 i was using for testing, and after removing every option that i had previously configured (vpn community, vpn domain, its own policy, its name from other policies, etc), i am still unable to change it to daip. The error is the same as the previous message:
Thanks
I think this is what you are looking for
for authentication use certificate since both gateways are Checkpoint.
Hello,
The same options that CarlosCP mention are available on gateways managed by the SMS. When you check the option Dynamic IP address on global properties the DAIP external interface is created by default.
With that config i was able to apply changes, maybe you added some other changes that caused the issue?
| User | Count |
|---|---|
| 4 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
Tue 13 May 2025 @ 04:00 PM (CEST)
German Session: NIS2- Compliance: Effiziente Vorbereitung und UmsetungTue 13 May 2025 @ 04:00 PM (CEST)
Maestro Masters EMEA: Quantum Maestro Architectures and OptimizationTue 13 May 2025 @ 02:00 PM (EDT)
Maestro Masters Americas: Quantum Maestro Architectures and OptimizationWed 14 May 2025 @ 10:00 AM (CEST)
ATAM 360°: Elevate Your Cyber Security Strategy with Proactive services - EMEAWed 14 May 2025 @ 03:00 PM (CEST)
NIS2 Readiness: Assess, Secure, and Comply with ConfidenceWed 14 May 2025 @ 10:30 AM (BRT)
Transforme sua Segurança de Rede com Agilidade e EficiênciaTue 13 May 2025 @ 04:00 PM (CEST)
Maestro Masters EMEA: Quantum Maestro Architectures and OptimizationTue 13 May 2025 @ 02:00 PM (EDT)
Maestro Masters Americas: Quantum Maestro Architectures and OptimizationWed 14 May 2025 @ 10:00 AM (CEST)
ATAM 360°: Elevate Your Cyber Security Strategy with Proactive services - EMEAWed 14 May 2025 @ 03:00 PM (CEST)
NIS2 Readiness: Assess, Secure, and Comply with ConfidenceWed 14 May 2025 @ 10:30 AM (BRT)
Transforme sua Segurança de Rede com Agilidade e EficiênciaWed 14 May 2025 @ 05:00 PM (CEST)
ATAM 360°: Elevate Your Cybersecurity Strategy with Proactive services - AMERICASThu 15 May 2025 @ 09:00 AM (IDT)
PA In-Person CloudGuard Workshop (CGNS, WAF, & API Security)
.png "Wolfgang"){kind=avatar}
