CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 5 of 5

Thread: vpn against a gateway with a dinamical ip

  1. #1
    Join Date
    2018-04-25
    Posts
    4
    Rep Power
    0

    Default vpn against a gateway with a dinamical ip

    Hi,

    I want to stablish a vpn connection between my checkpoint and other gateway. The problem is that the other peer has dinamical ip, so i am not sure how should i do that. I am working with SmartConsole.

    I read a lot of documentation and I think I should create an UTM-1 edge gateway, create a certification and install this cert in this external gateway. By this way, in matching criteria options it could authenticate against my checkpoint despite the dinamical ip address.

    I am not sure about that so my question is, żIs this how should I do that or some other way exists?

    Thanks beforehand, Mike.

  2. #2
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,464
    Rep Power
    15

    Default Re: vpn against a gateway with a dinamical ip

    You should only create it as a UTM-1 EDGE appliance if it truly is a UTM-1 EDGE appliance.
    Otherwise you would create it as an Externally Managed VPN Gateway with the Dynamic Address box checked.
    Authentication in this case MUST be Certificate-based.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  3. #3
    Join Date
    2018-04-25
    Posts
    4
    Rep Power
    0

    Default Re: vpn against a gateway with a dinamical ip

    Quote Originally Posted by PhoneBoy View Post
    You should only create it as a UTM-1 EDGE appliance if it truly is a UTM-1 EDGE appliance.
    Otherwise you would create it as an Externally Managed VPN Gateway with the Dynamic Address box checked.
    Authentication in this case MUST be Certificate-based.
    Thanks for your answer!

    I will do that. However, I forgot that remote peer has a FQDN name which its resolution gives me the IP. Can I do something with that or certificate-based authentication still being the only solution?
    Furthermore, remote gateway is not a checkpoint gateway. Should I create an "interoperable device" for this remote peer?

    Thanks, Mike.
    Last edited by mikiteleco; 3 Weeks Ago at 03:58.

  4. #4
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,464
    Rep Power
    15

    Default Re: vpn against a gateway with a dinamical ip

    Quote Originally Posted by mikiteleco View Post
    I will do that. However, I forgot that remote peer has a FQDN name which its resolution gives me the IP. Can I do something with that or certificate-based authentication still being the only solution?
    Furthermore, remote gateway is not a checkpoint gateway. Should I create an "interoperable device" for this remote peer?
    Since it's not a Check Point gateway, you should definitely create it as an interoperable device.
    If you can guarantee the remote IP address won't change, then you can configure the IP address in the interoperable object and use methods other than certificates for authentication.
    Otherwise, you must configure it as a Dynamic Address and configure the DNS name in the Interoperate Device object under IPSec VPN > Link Selection.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  5. #5
    Join Date
    2018-04-25
    Posts
    4
    Rep Power
    0

    Default Re: vpn against a gateway with a dinamical ip

    Quote Originally Posted by PhoneBoy View Post
    Since it's not a Check Point gateway, you should definitely create it as an interoperable device.
    If you can guarantee the remote IP address won't change, then you can configure the IP address in the interoperable object and use methods other than certificates for authentication.
    Otherwise, you must configure it as a Dynamic Address and configure the DNS name in the Interoperate Device object under IPSec VPN > Link Selection.
    Hi,

    Yes, I created an "Interoperable Device". However, I had some problems to issue the certificate (option no available from interoperable device dialog). I used next command: cpca_client create_cert -n "CN=commonName" -f p12name.p12 -w pw. I got a .p12 file which was dispatched to remote peer, let's see if it works..

    Thanks again PhoneBoy! I will updating this thread to let you know if it works.

Similar Threads

  1. Gateway Selection in E75.30 after Gateway Upgrade to R75.46
    By Hazmats in forum Endpoint Security Product (E80 and All That)
    Replies: 2
    Last Post: 2013-11-19, 03:30
  2. R75 Clusterxl HA using physical gateway / VMWareESX 4.1.0 gateway??
    By neisler in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 2
    Last Post: 2011-07-11, 13:31
  3. UTM Cluster XL HA - Gateway+Management & Gateway?
    By paulkoan in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 1
    Last Post: 2011-02-14, 06:17
  4. management gateway to gateway traffic is encrpyted
    By philuxe in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 7
    Last Post: 2008-07-16, 03:21
  5. Replies: 2
    Last Post: 2006-10-16, 03:34

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •