Discussion:
CheckPoint VPN to Gw with dynamic address, dyndns and preshared key
Diego Balgera
2008-08-18 19:25:39 UTC
Permalink
Hi,

My environment: CheckPoint R65 over Nokia Ipso 4.2, static public IP
address on the external interface.
I need to setup a VPN to an host with dynamic IP address in its external
interface, resolvable to a static name with dynamic Dns. This remote
host supports the VPN authentication with preshared secret.

So I try to setup in R65 an interoperable device, specifying this host
has a dynamic IP (in both the host definition and in the topology /
interfaces).
1) First of all, where do I configure the dynamic Dns name of the remote
peer?
2) Secondly, I'm reported that "a certificate authority for certificate
matching criteria is required for externally manager VPN gateways and
interoperable devices with dynamic IP address". But (regardless it can
be considered secure or not, the security in my case is not so critical)
I would like to configure a "simple" VPN to this dynamic gateway with
preshared secret only ...

Mmmh, I guess I'm wrong in something. Is it possible to configure a VPN
in this environment, any tip?
Note: not a problem in downgrading CP VPN1 version, if required.

Thank you in advance!
Best regards.
Diego.
pkc_mls
2008-09-01 08:53:48 UTC
Permalink
Post by Diego Balgera
Hi,
My environment: CheckPoint R65 over Nokia Ipso 4.2, static public IP
address on the external interface.
I need to setup a VPN to an host with dynamic IP address in its
external interface, resolvable to a static name with dynamic Dns. This
remote host supports the VPN authentication with preshared secret.
So I try to setup in R65 an interoperable device, specifying this host
has a dynamic IP (in both the host definition and in the topology /
interfaces).
1) First of all, where do I configure the dynamic Dns name of the
remote peer?
2) Secondly, I'm reported that "a certificate authority for
certificate matching criteria is required for externally manager VPN
gateways and interoperable devices with dynamic IP address". But
(regardless it can be considered secure or not, the security in my
case is not so critical) I would like to configure a "simple" VPN to
this dynamic gateway with preshared secret only ...
Did you configure phase 1 explicitely for aggressive mode ?
you shouldn't need any certificate with phase1 agressive mode.
the only issue is that only the peer with the dynamic ID can initiate
the VPN.
what is the remote host ? (which type, os, etc).
Post by Diego Balgera
Mmmh, I guess I'm wrong in something. Is it possible to configure a
VPN in this environment, any tip?
Note: not a problem in downgrading CP VPN1 version, if required.
Thank you in advance!
Best regards.
Diego.
Loading...