topic Re: Site-to-site VPN in Spark Firewall (SMB)

Site-to-site VPN

hle2001 — Tue, 01 Jul 2025 22:37:20 GMT

Hi everyone,

I am a long time Checkpoint users but Site-to-Site VPN is new to me and need your help.

I have a clusterXL running on model Quantum Spark 1595 manage several networks and one the network is called DMZ network housing AntiVirus server, Windows patch server, and SolarWinds monitoring system.

The DMZ network address is 10.80.192.0/24.

Security Management Server is in DMZ network (10.80.192.107)

ClusterXL virtual IP is 10.80.192.1 (FWA=10.80.192.2, FWB=10.80.192.3)

The Gateway 1595 still have two more interfaces available.

----------

I had another private network (10.10.10.0/24) connect to Ethernet1 interface on Checkpoint Gateway model 3600.

The goal is setting up private network to ClusterXL and provide access rules to use resources in DMZ network such as AntiVirus, Patch Update, and network monitoring.

Currently, I setup Ethernet2 interface on Gateway 3600 to connect directly to DMZ Cisco switch (10.80.192.0/24), so the Security Management server (10.80.192.107) can manage GW 3600, and by doing this I can create access rule for Private Network (10.10.10.0/24) to use all resources in DMZ network. Here the problem, our management want GW3600 interface to ClusterXL 1595 to allow 10.10.10.0/24 network access to DMZ resources.

I am new to Site-to-Site VPN, and our GW3600 and ClusterXL gateway pair 1595 mount in the same cabinet and very close together, can it be done? how to physically connect a single GW3600 to ClusterXL dual GW1595? and how to setup VPN for it to communicate? Do I need to use two interfaces on GW3600 for it to work?

Thank in advance for your help,

Re: Site-to-site VPN

PhoneBoy — Tue, 01 Jul 2025 22:41:17 GMT

Please provide a network diagram showing all the relevant components (including proposed configuration).
Is the 1595 managed by the same SMS as the 3600?
In any case, it should be possible to set up a VPN between the 3600 Cluster and a single 1595, though the devil is in the details.

Re: Site-to-site VPN

the_rock — Wed, 02 Jul 2025 14:57:19 GMT

You would pretty much set it up following info from below link, as say other side was 3rd party, except there would be no interoperable object here.

Andy

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/Topics-VPNSG/Basic-Site-to-Site-VPN-Configuration.htm?tocpath=Basic%20Site%20to%20Site%20VPN%20Configuration%7C_____0#Configuring_a_Star_or_Meshed_Community_Between_Internally_Managed_Security_Ga...

Re: Site-to-site VPN

hle2001 — Mon, 07 Jul 2025 18:41:31 GMT

Sorry I for got to mention. Yes, I had the SMS running GaiA R81.20 to manage both 1595 gateway (embedded R81.10.17) and 3600 gateway cluster (R81.20)