topic Re: Tunnel Sharing in General Topics

Tunnel Sharing

gemechisd — Wed, 30 Aug 2023 12:06:15 GMT

I have IPsec VPN with third party having FortiGate VPN Firewall. There are 5 Encryption Domains (ED's) on the same peer with different VLAN's but defined as a host.

The tunnel management option I have selected is "One VPN Tunnel per Gateway pair". What problem does it cause? Or Which tunnel management option I have to select? In order for all ED's to be up on phase 2?

Re: Tunnel Sharing

G_W_Albrecht — Wed, 30 Aug 2023 12:36:46 GMT

What does not work with the current settings ? And what do you mean by: there are 5 Encryption Domains (ED's) on the same peer with different VLAN's but defined as a host ? Maybe a rough topology sketch will help to understand it.

Re: Tunnel Sharing

the_rock — Wed, 30 Aug 2023 13:49:04 GMT

Here is what I will tell you. From all my experience with CP vpn tunnels, I learned some important things that I believe should be taken into considerations.

First off, not sure how long you been around CP, but in the old days of Check Point, and Im talking probably R60 and before, CP would ALWAYS try to present largest possible subnet to the peer, no matter if it was explicitly configured to say send /29, it would always try to send /24 or larger subnet. Thats not so much issue these days, but just to be on the safe side, I would verify below settings in Gudbedit are set to FALSE

ike_enable_supernet

ike_p2_enable_supernet_from_R80.20

ike_use_largest_possible_subnets

Now, onto main thing I wanted to discuss. That setting, one vpn tunnel per gateway pair, personally, I would ONLY use that if its permanent route based tunnel with Say Azure or AWS, but if its regular domain based, do not use that setting, unless its combination of subnets/hosts in your CP enc. domain.

Keep in mind as well, with Fortigate or PAN, makes no difference if you select 0.0.0.0/0 phase 2 selectors, it really comes down to what you have defined in the policy itself for VPN traffic.

Hope that helps, but if you need more explanation, we can do the call/remote session. Let me know.

Cheers,

Andy

Re: Tunnel Sharing

Matlu — Tue, 12 Sep 2023 15:29:01 GMT

Hola, Hermano 8)

Reading this post thread, I ask you ... in your experience, if you use the "... per Gateway pair" in a traditional VPN (other than against AWS, GCP, Azure) I understand, that Checkpoint here presents phase 2 as a 0.0.0.0.0/0.

So, the remote peer, in its phase 2, would also have in any case to "configure" its phase 2, with the same value?

That is with a 0.0.0.0.0/0?

Re: Tunnel Sharing

the_rock — Tue, 12 Sep 2023 15:48:28 GMT

Not necessarily. It all depends what you assign for the VPN domain. See, CP works a bit different when it comes to these things compared to say Fortigate or Cisco or even PAN. But, from my experience, when it comes to Azure or AWS vpn, we always tell customers to ensure empty group is assigned for vpn domain and per gateway option is selected.

Andy