This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
obsidian11
Contributor
‎2022-08-29 06:02 AM

Site to site VPN drops with Dynamic DNS

Greetings,

I'm wondering what can cause this issue, I have 2 appliances (locally managed) from Check Point 700 Appliance family (730 & 790). On both of them, there is DDNS feature enabled (because those two are DAIP gateways - don't have static WAN IP), provider is no-ip.com and domains *.ddns.net successfully point to proper dynamic IPs.

When my friends and I try to establish site to site vpn between those peers, when we put IP addresses (dynamic ones) everything seems fine. However, when we put host names instead of those IPs, tunnel won't go up.

Has anyone run into the same problem?

P.S. Other settings are default ones (authentication: pre-shared secret; encryption: default etc.)

0 Kudos
4 Replies
obsidian11
Contributor
‎2022-08-31 03:14 AM
In response to G_W_Albrecht

Honestly I didn't try this certificate based configuration (as I said, all other gateways are configured via pre-shared key for s2s vpn), but what I did after reading those 2 articles/guides was reinitializing certificates and now I have 2 scenarios..

There is always green checkmark (tunnels are up), but..

When I put hostname for the first gateway, and dynamic IP for the second gateway everything works fine.

However, if I put hostnames for both gateways, there is still green checkmark (signalizing that tunnel is up), but it's not working..

Any ideas why this happens? I mean configurations are almost same as other gateways from same appliances family.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-08-31 03:35 AM
In response to obsidian11

Could be a NAT-T issue, see sk167116: In locally managed appliances, the parameter "vpn_force_nat_t" does not force NAT-T if the remote site is configured using a hostname. Refer to sk162472 for more information. 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
obsidian11
Contributor
‎2022-08-31 04:13 AM
In response to G_W_Albrecht

Thanks mate, I will take a look at those SKs and provide more information.

P.S. When I type

[Expert@appliance]# fw ctl get int vpn_force_nat_t
vpn_force_nat_t = 0

it's disabled on every appliance.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top