Site to site VPN fails with DIAP works when external ip specified

[GarerthW]

Hi,

I have a problem that I'm a little confused by. I am trying to establish a site-to-site VPN between a UTM-1 Edge and a Nokia IP530 running NGX R62.

On the smartcenter server if I leave the UTM-1 object having a dynamic IP address the VPN wont establish I get "no response from peer" in the UTM-1 logs.

If I then set the IP address on the SmartCenter to the external ip address of the NAT device the UTM-1 is behind the VPN will establish without any problems?

The UTM-1 is going to be used in a few different locations so I need it to work with a dynamic ip address.

Anyone have any ideas?


Thanks

[mcnallym]

Is the Edge Device managed by the SMARTCenter or locally managed?

[GarerthW]

Its locally managed

[mcnallym]

In that case do this.


Open SmartDashboard.


Create a new VPN-1 UTM Edge Gateway.


In the 'General Properties' screen, select the 'Externally Managed Gateway' option.
Note: If the 'Externally Managed Gateway' option is not marked, this object counts towards the license for managed gateway objects.


Click 'VPN' on the left menu. Under the 'Repository of Certificates Available on the Gateway" list, click on 'Add...'

Set a Certificate Nickname and in the 'CA to enroll from' drop-down menu, select 'internal_ca'.

Click the 'Generate...' button and then on the next screen, note the DN: (CN=xxxxx, O=xxx).

Click 'OK' on both windows.

The certificates list should now have one entry.


Still In the 'VPN' screen, click the 'Matching Criteria...' button.


Select 'internal_ca' from the drop-down list, select 'DN' and enter the previously noted DN information.


Click 'OK' on both windows.


Once the edge object is created, enter the VPN-1 UTM Edge Gateway properties again and go to 'VPN'.


Select the certificate in the 'Repository of Certificates Available on the Gateway" list and click 'Export p12...' button. You will be prompted to set another password. Save the certificate and then use it on the VPN-1 UTM Edge or Safe@ device.


Once this object is setup in SmartDashboard and the certificate has been imported on to the VPN-1 UTM Edge or Safe@ unit from its WebUI, create a VPN Star community with this DAIP object as a satellite gateway in the community on SmartDashboard.
Note: The networks/hosts behind the DAIP device will always have to initiate the tunnel as the IP on it is dynamic.

[GarerthW]

Thanks for the quick and detailed reply but I have already installed a certificate on the device.

[msnydercanada]

I've had trouble using the 'Enterprise' VPN on Edge devices in the past. As a work around I've defined manual VPN's on the Edge device (from the Edge GUI). I've done this with units configured as DAIP objects that use digital certificates for authentiation and it works fine. The Edge unit itself knows the peer IP (rather than relying on the topology info in the VPN community) and does manage to renegotiate tunnels fairly well when the external IP changes (from a move or dhcp lease expirey/renew etc).

Hope this helps.

[msjouw]

How did you define the Edge in the management? As a Checkpoint gateway Edge device or an externally managed Edge?
I would just move to managed instead as this will remove all the hassle. Also make sure to enable Permanent tunnels when using a Dynamic IPas this is the only way for the central site to find the Edge again.