topic Re: Migrating from traditional VPN to Simplified VPN in General Topics

Migrating from traditional VPN to Simplified VPN

Malik1 — Tue, 13 Apr 2021 15:03:20 GMT

Hello Experts,

we have recently replaced our old nokia gateways on R75 to 5900 appliances on R77.30. Now we are plan to migrate to R80.30 as a pre -requisite we have run PUV that has identified the below error

Firewall policies with Traditional VPN mode

Description:

Traditional mode refers to legacy VPN policy, which was replaced by Simplified VPN (first introduced at 2002 in version NG FP3). Please change the below policies by using one of the methods:
1. Convert your Firewall policies: In SmartConsole, go to Policy > Convert To > Simplified VPN, and follow the wizard instructions.
2. In your Firewall policy, delete rules that contain the actions Encrypt or Client Encrypt.
If you have a specific case in which you have to use Traditional VPN mode, please contact Check Point support.
These are the Traditional VPN policies or rules that must be converted or deleted:

I have gone through the R77.30 admin guide to migrate from traditional vpn to simplified vpn and i have some queries related to that as we need to run the conversion process

Policy> Convert to > Simplified VPN.

1.When we run the conversion process it will be run on each policy package separately and not on all the policy package on the mgmt server ?

2.For each rule that allows traffic for traditional vpn that has action assigned as encrypt will be converted to two rules ?

3.Do we need to create communities prior running the conversions process ?

4. Is the conversion process reversible ? What can be a fall back plan ?

I have also seen an alternate procedure in the guide

1. On the Global Properties > VPN page, select either Simplified mode to all new Security
Policies, or Traditional or Simplified per new Security Policy. File > Save.
2. File > New... The New Policy Package window opens.
3. Create a name for the new security policy package and select Firewall and Address
Translation.
In the Security Policy Rule Base, a new column marked VPN appears and the Encrypt option is no
longer available in the Action column. You are now working in Simplified Mode

So if we make changes in the global properties will it only apply to new policy package created and wont affect the current policy packages that are using traditional vpn ?

What i was thinking of doing is to create a new policy package that uses simplified vpn and then copy the rules from the old policy package (thats using traditional vpn).

Then create the vpn rules and communities in new policy package and during migration attach the new policy package to the gateways . In case we have an issue will can attach the old policy package to roll back.

Please share any suggestions

Regards,

Sijeel

Re: Migrating from traditional VPN to Simplified VPN

G_W_Albrecht — Tue, 13 Apr 2021 16:15:12 GMT

That should work. See sk171035: The correct way to switch between a policy using Traditional mode and Simplified mode is to create a new policy with the correct mode.

Re: Migrating from traditional VPN to Simplified VPN

PhoneBoy — Wed, 14 Apr 2021 01:09:32 GMT

Just to clarify, you do not have to migrate traditional mode VPNs to simplified more prior to migrating to R80.x.
That said, it is highly recommended to do this prior to upgrading since R80.x has no conversion tools available.

If you do go through with the migration to R80.x without migrating the VPN policy from traditional to simplified, you'll still be able to use your existing policies.
However, creating new policies with traditional mode is blocked.
You will also run into other limitations down the road.

There's a few things Traditional Mode allowed that aren't as easy to do in Simplified Mode:

Allow multiple encryption algorithms per community. The workaround for this limitation is splitting up VPN communities.
Exclude some traffic from VPN.
Allow for a different encryption domain per community (something we addressed in R80.40).

Because of these limitations, the conversion wizard that's available pre-R80 doesn't always produce a satisfying result.
The original plan was to address these limitations and add the traditional to simplified conversion wizard at a later stage.

I don't have R77.30 handy, but believe you are correct how that Global Property operates: it will create new policy packages with simplified mode.
Not entirely sure you can copy/paste rules between the two policies, though.

As for a rollback plan? As this is a pretty major change, I would take a backup of your management using multiple methods (migrate export, etc) prior to starting any work.

Re: Migrating from traditional VPN to Simplified VPN

Malik1 — Thu, 15 Apr 2021 10:26:40 GMT

I have gone through the SK and it relevant only if the policy that i have created did not actually use VPN, and by mistake was created using Traditional mode.

In my case i have policy package that is using traditional vpn and i have rules with encrypt as action. So i need to create a new policy package with correct mode , create communities and manually create new rules .

Re: Migrating from traditional VPN to Simplified VPN

Malik1 — Thu, 15 Apr 2021 10:28:56 GMT

i have planned these steps , will share the outcome.

On the Global Properties > VPN page, select Simplified mode to all new Security Policies, File > Save. If you do not save, you are prompted to do so. Click OK
File > New... The New Policy Package window opens ( Create new policy package)
Create a name for the new security policy package and select Firewall and Address Translation
In the Security Policy Rule Base, a new column marked VPN appears and the Encrypt option is no longer available in the Action column. You are now working in Simplified Mode.
Copy rulebase form the current active policy ”
Create new communities and interoperable devices.
Manually migrate the rule that have encrypt option enabled.

Re: Migrating from traditional VPN to Simplified VPN

_Val_ — Thu, 15 Apr 2021 11:00:57 GMT

correct