topic Re: Creating multiple VPN site to site connections on CheckPoint in General Topics

Creating multiple VPN site to site connections on CheckPoint

KietN_NGUYEN — Sun, 11 Mar 2018 10:19:12 GMT

Dear Team,

Is it possible to create mutiple VPN site to site connections between one CheckPoint FW and multiple external gateways ?

If yes, Could you please help me on this scenario:

- On HQ, I have a CheckPoint FW with two subnets: 192.168.1.0/24 and 192.168.2.0/24.

- Site A: subnet: 192.168.3.0/24

- Site B: subnet: 192.168.4.0/24.

Site A only can access to the subnet 192.168.1.0/24 and Site B only can access to the subnet 192.168.2.0/24.

I have some troubles in some points:

- On CHKP FW, defining local encryption domain, I need contains all two subnets, right ?

- On Site A GW_A: I define local subnet is 192.168.3.0/24 but remote subnet is contain both subnet 1.0/24 and 2.0/24 or only one subnet 192.168.1.0/24 ?

- Tunnel sharing on CHKP: I need to use one tunnel per a pair of subnet or one tunnel per a pair of GW ?

- Do I need to use VTI on CHKP.

Thanks all ,

Best regards,

Kiet NGUYEN.

Re: Creating multiple VPN site to site connections on CheckPoint

AlekseiShelepov — Sun, 11 Mar 2018 11:57:14 GMT

Are all the VPN gateways Check Point devices and managed by you and connected to the same management server? If yes to everything, then it is a very easy setup.

HQ FW: VPN-Domain = 192.168.1.0/24, 192.168.2.0/24,
Site A FW: VPN-Domain = 192.168.3.0/24
Site B FW: VPN-Domain = 192.168.4.0/24

Then you add all three FWs to a community - Star or Meshed. If Meshed then all gateways will be of the same level of importance and can communicate to eah other. If Star then you can choose center gateways (HQ) and satellite gateways (Site A, Site B). For Star community you can also choose options of routing traffic trough VPN:

To center only.
To center and to other satellites through center.
To center, or through the center to other satellites, to internet and other VPN targets.

As for the settings "One VPN tunnel per ...", the best option would be to go with One VPN tunnel per subnet pair. It will provide more security that One VPN tunnel per Gateway pair, and not overflow gateway tables in case you have many-many networks and hosts behind gateways as in One VPN tunnel per each pair of hosts.

There is no need in VTI in simple cases like this.

And then you just need to create proper firewall/access rules to provide this part:

"Site A only can access to the subnet 192.168.1.0/24 and Site B only can access to the subnet 192.168.2.0/24."

Source	Destination	VPN	Service	Action
192.168.3.0/24	192.168.1.0/24	VPN_Community	Any	Allow
192.168.4.0/24	192.168.2.0/24	VPN_Community	Any	Allow

Configuring Site to Site VPN Rules in the Access Policy

Re: Creating multiple VPN site to site connections on CheckPoint

KietN_NGUYEN — Wed, 21 Mar 2018 15:35:58 GMT

Hi Aleksei Shelepov,

I appreciate your help. But unfortunately, two devices in two sites is other devices ( not CheckPoint). Can I define two separate VPN Community domain for it ? Or I really need define only one community domain ?

If I can define only one encryption domain, how can I setup it ?

Thanks so much for your help,

Kiet.

Re: Creating multiple VPN site to site connections on CheckPoint

Worapong_Janloy — Thu, 20 Sep 2018 16:26:20 GMT

For this solution work on 3-Party devices as well right?

Re: Creating multiple VPN site to site connections on CheckPoint

AlekseiShelepov — Thu, 20 Sep 2018 21:30:40 GMT

This is a too broad question. And the general answer is yes, this is how VPN configured on Check Point. The main difference will be to add 3rd party devices as Interoperable devices. And of course settings on both sides of VPN must be the same - encryption, hash, networks for VPN. Here I described without getting in some details how to configure VPN on Check Point devices.

It would be better to read VPN Admin Guide first:

VPN Administration Guide R77

VPN Administration Guide R80.10

And check SK database:

VPN Site-to-Site with 3rd party

Debugging Site-to-Site VPN

Re: Creating multiple VPN site to site connections on CheckPoint

PhoneBoy — Fri, 21 Sep 2018 16:28:25 GMT

While a given gateway can peer with many VPN endpoints, only one encryption domain can be defined per gateway.

The encryption domain would include all subnets behind a given gateway (or a subset thereof).

In your situation, it would include 192.168.3.0/24 and 192.168.4.0/24.

The rules would be configured as Aleksei Shelepov‌ described in his initial post.