topic Re: Tunnel mode VPN and Transport mode VPN in General Topics

Tunnel mode VPN and Transport mode VPN

Sharma_Prashant — Wed, 04 Oct 2017 11:19:38 GMT

Does Checkpoint support only Tunnel mode VPN only or we can use Transport mode as well for IPSEC...?

can we switch between them?

Any documentation can we get it on this to get the clarity with example...?

Re: Tunnel mode VPN and Transport mode VPN

Timothy_Hall — Thu, 05 Oct 2017 13:57:26 GMT

Pretty sure Check Point does not support Transport Mode (which is essentially AH only) and never has. Transport Mode only provides the Integrity (SHA1/MD5/SHA256) and Authenticity (digital signatures) elements of the CIA model, while ESP adds in the Confidentiality piece (3DES/AES-XXX) along with the tunneling/encapsulation functionality. All modern VPNs use ESP, but VPNs with Verizon corporate still call for the use of Transport Mode for some reason.

In the old days on other vendors it was possible to use just AH in transport mode without ESP. This provided Integrity & Authenticity for the payload/data portion of an IP packet only with no encryption; the packet headers would be left intact and the entire packet would not be tunneled. This would save on encryption overhead when CPUs were much slower than they are today however good ol' Moore's Law has rendered this concern mostly moot.

Inevitably I would be asked for an example during a Check Point class about why in the heck you wouldn't want to encrypt the packet with ESP and achieve confidentiality; the best example I could come up with were real-time stock quotes. You sure as heck don't want someone to spoof them or tamper with them and as a result have your computer-based trading go awry, but you don't especially care if a man in the middle can see the quotes since they are more or less public information. Read the Wikipedia article about Knight Capital for a graphic description of how a prominent high frequency trading firm was essentially bankrupted in the space of 45 minutes by automated trading errors.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Re: Tunnel mode VPN and Transport mode VPN

Pawel_Topczewsk — Thu, 19 Oct 2017 15:13:04 GMT

Are You sure about it.

How would You explain situation when IPSec SA is set to NULL for IKE Phase 2?

Sincerely

Re: Tunnel mode VPN and Transport mode VPN

Timothy_Hall — Thu, 19 Oct 2017 21:31:10 GMT

Setting the Phase 2 Encryption to NULL does not cause Transport Mode to be used, it simply disables encryption of traffic traversing the VPN tunnel. The entire original packet is still tunneled by ESP and digitally signed.

Transport mode encrypts just the payload of the original packet and leaves the original packet header intact with no tunneling.

There are references to "Transport Mode" scattered throughout the Check Point VPN documentation, but they refer to supporting Transport Mode for Remote Access via L2TP and also GRE. Transport Mode is not supported for site-to-site VPN.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Re: Tunnel mode VPN and Transport mode VPN

Pawel_Topczewsk — Fri, 20 Oct 2017 07:46:32 GMT

Sorry Tim, I was thinking about enforcing AH only mode in Tunnel Mode. I was thinking this would disable ESP and leave only AH part of IPSec.

Re: Tunnel mode VPN and Transport mode VPN

Gomboragchaa — Mon, 22 Jan 2018 09:19:58 GMT

@Tim Hall

I have a issue on transport Mode via GRE. Toplogy is:

peer 1 ------- checkpoint ---- VPN ---- cisco ASA ----- peer2

Peer 1 and Peer 2 has GRE VPN connection. Checkpoint with ASA firewall connected NAT-T Site2Site vpn.

Both peer routers are connecting. But GRE tunnel doesn't work.

Is it possible to connect gre tunnel?

Re: Tunnel mode VPN and Transport mode VPN

Timothy_Hall — Mon, 22 Jan 2018 21:12:29 GMT

Pretty sure GRE inside an IPSec tunnel is supported, although I can't recall ever setting one up. Is the Check Point side a cluster? If so could this be your issue: sk90060: GRE tunnel stops working inside a Site-to-Site VPN tunnel established with Check Point cluster

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Re: Tunnel mode VPN and Transport mode VPN

Gomboragchaa — Tue, 23 Jan 2018 01:45:35 GMT

Thank you,

Checkpoint Side is cluster. Packets were coming in clear text and checkpoint dropping it.

We tried without VPN. Checkpoint has direct connected ASA and we created static route. Certainly, both peers are can connect each other.

peer 1 ------- checkpoint ---- Direct Optic Link(without VPN) ---- cisco ASA ----- peer2

It hasn't dropp log, but still couldn't establish.

Re: Tunnel mode VPN and Transport mode VPN

Harshpal_Bhati — Thu, 18 Jul 2019 04:47:12 GMT

From sk104760 , i can see both are supported . IPsec can be implemented in a host-to-host transport mode, as well as in a network tunneling mode:

Re: Tunnel mode VPN and Transport mode VPN

Timothy_Hall — Thu, 18 Jul 2019 13:19:00 GMT

I don't think this is the case, the part of the SK you are quoting is describing the theoretical elements of IPSec, not what can actually be configured. There is no way to set an IPSec tunnel to use Transport mode that I can find, and Tunnel mode is the default. I'd love to be proven wrong...