topic Re: S2S VPN & Vlans in Firewall and Security Management

S2S VPN & Vlans

Moudar — Tue, 09 Apr 2024 09:41:56 GMT

Is there any guide that shows how to do subnet advertisement over the S2S tunnel (2 checkpoint appliances)

We have got about 5 different VLANS that needs to be advertised from the main office to the branch office.

Any ideas!

Re: S2S VPN & Vlans

G_W_Albrecht — Tue, 09 Apr 2024 11:21:00 GMT

Why do you need that ? Usually you include all subnets in VPN Encryption Domains for each peer.

Re: S2S VPN & Vlans

the_rock — Tue, 09 Apr 2024 12:00:32 GMT

I would agree with @G_W_Albrecht . By the way, whatever you need to advertise, just include it in VPN domain and ever since R80, you can have specific group as generic vpn domain in the object itself, but then you can assign different ones as per community (below screenshot)

Andy

Re: S2S VPN & Vlans

Moudar — Tue, 09 Apr 2024 12:19:07 GMT

Clarification on VLAN Tagging and Configuration:

We defined the allowed networks for the VPN tunnel. However, I'm unsure how VLAN tagging would work in this scenario.

Ideally, I'd like to find a comprehensive guide that outlines the configuration process for both the Check Point firewall at the main office and the Check Point firewall in the branch office. This guide should specifically address:

VLAN Tagging Configuration: How to configure VLAN tagging on both the firewall and switch to ensure proper segregation and routing of VLAN traffic from the main office to the branch office through the VPN tunnel.
Visibility and Functionality: How to ensure that VLANs from the main office appear and function seamlessly on the switch connected to the Check Point firewall in the branch office.

By following a detailed guide that addresses these aspects, I can confidently configure the VPN tunnel and achieve the desired functionality for VLAN traffic across both locations.

Additionally:

If there are any best practices or security considerations regarding VLAN tagging in this setup, I would appreciate any insights you can provide.

Re: S2S VPN & Vlans

G_W_Albrecht — Tue, 09 Apr 2024 12:34:45 GMT

On CP side you only need to consider R81.10 Gaia Administration Guide - VLAN Interfaces. Switches are configured according to their specs. It should work transparently over VPN if the Encryption Domains are defined correctly.

Re: S2S VPN & Vlans

the_rock — Tue, 09 Apr 2024 12:31:51 GMT

Just follow link Guenther gave. I am not aware of any specific document/acticle that talks about something like this through the vpn tunnel.

Andy

Re: S2S VPN & Vlans

mccabe — Tue, 09 Apr 2024 12:56:09 GMT

Just adding in my 2p on this one if I may; apologies if I have misunderstood you but I had a similar question put to me just last week. In that case, the customer had an existing MPLS L2 network and wanted to find a way to keep the L2 build broadly similar after migrating to VPN tunnels.

Its important to note that the VPN tunnel is a layer 3 entity; its IP to IP. Its not possible to segregate this L3 tunnel into a series of layer 2 VLANs, in the manner of an ethernet trunk.

Instead, what you need to do (as Gunther and Andy mention) is include the respective subnets in the 'encryption domain'.

Again, apologies if thats not what you're asking.

G

Re: S2S VPN & Vlans

the_rock — Tue, 09 Apr 2024 13:11:14 GMT

Thats super valid point, it would be layer 3 "system" if you will, so the statement about segregating it into separate layer 2 entities may not work, agree.

Not sure if there is written statement anywhere about it, but I could not find one myself.

Andy

Re: S2S VPN & Vlans

Moudar — Tue, 09 Apr 2024 13:25:13 GMT

You have a very good point about the difference between l2 and l3 in this specific case

Re: S2S VPN & Vlans

Moudar — Tue, 09 Apr 2024 13:26:04 GMT

Maybe this needs to be considered?

f you configure the switch ports as VLAN trunk, the Check Point Bridge interface should not interfere with the VLANs.

To configure a Bridge interface with VLAN trunk, create the Bridge interface with two physical (non-VLAN) interfaces as its subordinate interfaces (see Bridge Interfaces).

The Security Gateway processes the tagged packet and does not remove VLAN tags from them.

The traffic passes with the original VLAN tag to its destination.

Re: S2S VPN & Vlans

Moudar — Tue, 09 Apr 2024 13:31:33 GMT

If the Interface VLAN that i need to send to the branch office is not defined in the firewall but only in the router (internal traffic)

How would the process of creating a new interface vlan on the firewall go?

Example:

add interface bond0 vlan 530
set interface bond0 state on

set interface bond0.530 comments "Print"
set interface bond0.530 state on
set interface bond0.530 ipv4-address 10.40.10.25 mask-length 24

what happens next?

Re: S2S VPN & Vlans

the_rock — Tue, 09 Apr 2024 13:33:26 GMT

That looks right. Well, just make sure its aded as part of enc vpn domain.

Andy

Re: S2S VPN & Vlans

Moudar — Tue, 09 Apr 2024 13:37:02 GMT

that config will be done on the main office, what about the branch office configuration. Is it the same?

Do i need to consider this:

If you configure the switch ports as VLAN trunk, the Check Point Bridge interface should not interfere with the VLANs.

To configure a Bridge interface with VLAN trunk, create the Bridge interface with two physical (non-VLAN) interfaces as its subordinate interfaces (see Bridge Interfaces).

The Security Gateway processes the tagged packet and does not remove VLAN tags from them.

The traffic passes with the original VLAN tag to its destination.

Re: S2S VPN & Vlans

G_W_Albrecht — Tue, 09 Apr 2024 13:40:14 GMT

Why would you use a bridge interface ? This will make many features unavailable! Both peers have their own Encryption domain - all networks should be included that have to be reached by clients from peer site.

Re: S2S VPN & Vlans

Moudar — Tue, 09 Apr 2024 13:47:02 GMT

I am not an expert here, but i am trying to learn!

In the branch office a Cisco switch will be connected to the firewall. How would the firewall configuration be ?

How would the switch understand that this traffic is tagged? I am trying to understand the process!

The branch office is 1575 small business appliance