Change PEER VPN in Interoperable Device

aMatthew · ‎2023-11-21

Hi, everyone,
I would need to know a piece of information.
A provider of ours has changed the IP address of his firewall with which we have a S2S VPN. is it possible to change the VPN we already have configured by going to insert the new peer instead of the old one?
In a nutshell, if I open the interoperable object can I change the new IP address without anything being affected ?
Are there any other actions to follow?
I need to reset a new PSK

Thanks to all for the support.

G_W_Albrecht · ‎2023-11-21

Yes, should be easy.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

the_rock · ‎2023-11-21

Yea, that should be pretty simple. Just make sure nothing else changed and PSK is done below (though Im sure you know that already ) : - )

Andy

aMatthew · ‎2023-11-21

Thanks for the support, but I need change remote peer address on star community and not the PSK.
Changing the remote IP address does not create impacts right?
Sorry for asking all these questions, but in the next few days I have to do this activity that impacts production and I am very concerned 🥶

freeman91

After changing, and clicking OK I got message:

What am I misssing?

Nüüül

Had something similar in my lab, but more often and wrote a nagios check, which then updates the device.

(https://github.com/leinadred/CP_updatedynip_gw)

Line which should be interesting for you might be:

str_set_newip = "echo -e 'modify network_objects "+args.hostobjectname+" ipaddr "+str(resp_dnsip)+"\n-q\n' | dbedit -local"

So when changing IP of interoperable device named "test" to 1.2.3.7 it would look like:

[Expert@fwm:0]# dbedit -local
Please enter a command, -h for help or -q to quit:
dbedit> modify network_objects test ipaddr 1.2.3.7
dbedit> quit -update_all
network_objects::test Updated Successfully
[Expert@fwm:0]#

Changing the remote IP address does not create impacts right?

- it will, at least for a short period (sometimes it takes longer or needs a manual session deletion on both sites), until VPN is reestablished with the new IP. Thats what maintenance windows are made for 🙂

Disclaimer:

- I used this some time ago, so before doing this in production, test it. I know, it´s not pretty 😄

freeman91

Is there any kb for this. I am not sure to test and play with this in prodiction time and equipment.
Why is this so complicated?

Nüüül

question - why do you not just change peer ip on interoperable device object in SmartConsole? After doing this, you will have to install policy to apply the settings to the gateway(s)

(until policy has been installed to device, the gateways are using their current settings)

freeman91

I am trying to to exacly that.

networok object -> interoperable device

right click on that interoperable device ->edit

change Name to new store Name
change IPv4 to new IPv4 address.
click OK

and then, that abowe error apear...

the_rock

Hey @freeman91 , maybe I missed it, but what is the error that appears?

Andy

freeman91

I just changed IP address to new one and name of the store.

R81.10 gw

R81.20 mgm server

the_rock

Never had that issue myself...maybe try deleting it and creating new one?

freeman91

a bit stupid question. I need just to create new interoperable device and assign it in existing VPN Community like old one?

the_rock

Yes, BUT...to be 100% sure there wont be any conflicts, personally, I would try delete one with the issue from guidbedit first, install policy and to that.

Andy

freeman91

I tried with other interoperable device, and this time I just changed one letter in the name, and result is the same. Can this be some bug or something?

the_rock

I dont think so, I did that so many times, never had an issue. I really cant say why you keep getting that, would need to see it for myself.

Andy

the_rock

If you are allowed to do remote, I have 30 mins before I start my day, so we can definitely check, let me know.

Andy

freeman91

Thank you for your willingness. It is not up to me to this time.

I am kind of people that will search over the internet, twice, before let someone to do a job insted of me.

the_rock

Dont look at it like that, my motto is we should all work as a team to help one another, thats it.

Anyway, lets just recap briefly:

1) you get same error with new interoperable object?

2) Did you try delete forst one via guidbedit and install policy?

3) if yes to 2, does same issue remain?

4) If no to 2, any different warning?

Andy

the_rock

Also, FWIW, make sure that maybe another session has not "locked" the object, if you see a lock sign on it, just navigate to what I attached and you can right click on the session if lock shows any digit other than zero and take over or discare and then try again.

Andy

freeman91

1) you get same error with new interoperable object?

No. I have like 20 Interoperable object, and I tried to change just a name on other one, also in production. So no IP address is changed, just name from "SiteBtest" to "SiteBtes". And I get the exacly same error like for the first Interoperable object

2) Did you try delete forst one via guidbedit and install policy?

No, I have to explore this guidbedit a bit more bc I see it has no Discard option and I have not enough expiriance to play with it.

3) if yes to 2, does same issue remain?

4) If no to 2, any different warning?

G_W_Albrecht just posted this SK. Looks promising 🙂

https://support.checkpoint.com/results/sk/sk182598

the_rock

Agree! Just looked over it and it may fix the issue, I see its only few months old.

Andy

Nüüül

when you have the pre shared key - another way to do this.

G_W_Albrecht

This has shown first at one of our customers when he tried to change or just open old interoperable devices and lead to the following SK:

sk182598: Unable to update a Security Gateway object or interoperable device

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

freeman91

This KB works only until step 15.

15. In the Traditional mode IKE properties window, clear the options you selected earlier in the sections "Support key exchange encryption with", "Support data integrity with", "Support authentication methods".

because, when I clear all checkbox that I checked minute ago, it says that I have to check integrity and encryption check box, and I can not leave it blank.

I will explore second method with guiDBedit Tool

the_rock

I honestly feel thats your best option.

Andy

freeman91

I have found way it say the value is 0, bc it is.

KB says

5. In the lower pane, right-click the field isakmp.phase1_DH_groups > select Reset

This is a bit expert level of tshooting. I am not sure what Reset is going to do?
Do you have expirience with it?

the_rock

Never done it myself, I would confirm with TAC.

Andy

freeman91

I would highly appreciate that!

the_rock

I meant YOU would need to open a case and confirm lol

Andy

Are you a member of CheckMates?

Change PEER VPN in Interoperable Device