topic Re: Manually define local VPN Domain per remote peer in General Topics

Manually define local VPN Domain per remote peer

peter_schumache — Thu, 02 May 2019 08:25:38 GMT

I'm quite sure I have seen a KB article about a definition file, which allows you to define the local encryption Domain according to the remote peer, e.g.

If the remote site-to-site VPN peer is A, then my local encryption domain are my networks A1, A2 and A3

If the remote site-to-site VPN peer is B, then my local encryption domain are my networks B1 and B2

Can't find that info anymore

Re: Manually define local VPN Domain per remote peer

G_W_Albrecht — Thu, 02 May 2019 10:02:55 GMT

The options for granular control over VPN routing are available by editing the vpn_route.conf file in the conf directory of the Security Management Server. See Site to Site VPN Administration Guide R80.20 p. 72ff for details !

Re: Manually define local VPN Domain per remote peer

peter_schumache — Thu, 02 May 2019 10:51:33 GMT

It's not only VPN-Routing. I want a dedicated VPN-Domain definition per remote peer for my GW. Consider the situation, where I have my corporate gateway, which has 20 site-to-site connections with various partners.
My gateway has 1 single enryption domain definition defined as a group, which includes ALL possible networks it might negotiate with ALL peer gateways.
To be sure, that my gateway uses only a very well defined set of networks for its negotiation with a specific remote peer, i would need a specific local encryption domain for every peer. This is not possible within the SmartDashboard, but I'm pretty sure I saw this possibility within a config file.
If this can be achieved with vpn_route.conf, I would be glad to see an example of how it would look like according to the scenario described in my original post.

Re: Manually define local VPN Domain per remote peer

Andreas_Aust — Thu, 02 May 2019 11:45:55 GMT

Hi,

look for

subnet_for_range_and_peer

in the crypt.def file

Re: Manually define local VPN Domain per remote peer

Timothy_Hall — Thu, 02 May 2019 13:04:08 GMT

Yes, see scenario one here: sk108600: VPN Site-to-Site with 3rd party.

The trickiest part of this is ensuring you are editing the correct user.def file based on the gateway version, for that see here: sk98239 - Location of 'user.def' files on Security Management Server

Re: Manually define local VPN Domain per remote peer

Maarten_Sjouw — Thu, 02 May 2019 14:48:50 GMT

Yep, user.def is the way to go.
They are promising us that local per-vpn topology will be possible in a soon to be released version.
How soon? We'll have to wait and see.

Re: Manually define local VPN Domain per remote peer

PhoneBoy — Fri, 03 May 2019 21:34:58 GMT

Targeted to R80.30.M1 in maintrain: https://community.checkpoint.com/t5/Multi-Domain-Management/VPN-Domain-per-VPN-community/td-p/30246
May also be available in a customer-specific release thru your local office.