Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

VPN routing between Two Domain Based IPsec VPN

Hello All,

                We have configured two Domain based tunnels as (Satellite G/Ws) and our checkpoint FW 12400 running on R77.30 Jumbo take  Take: 302.

                          

Cisco ASA <----IPSec VPN( Backend Tunnel)-----> Checkpoint FW 12400  <----IPSec VPN  (Frontend Tunnel)----->  Cisco PIX FW

So now the question is for the VPN routing and and can we have two different communities with different Phase 1 and 2 parameters.

 

Please share any other configuration method you come across under this scenario.

 

Regards,

Mrigen Sane

0 Kudos
3 Replies
Highlighted
Admin
Admin

You would have two different VPN communities, one with the backend tunnel, and one with the frontend tunnel.
Each community can have different Phase 1/2 settings.
0 Kudos
Highlighted

Hello ,

           Thank you for the response, The same configuration we had implemented , but when we had a call with the checkpoint support for validation they mention that as the Satellite G/Ws (frontend and backend ) both are 3rd party. 

The configuration would be as follows ::

One Community with Checkpoint Fw as center and rest of the two as Satellite.

Note :: We want some new different configuration for this one is because, the one checkpoint suggested needs to have the same VPN phase 1 and 2 parameters for both the third party gateway. 

And in the future we will be having multiple frontend VPN tunnels , so keeping the VPN parameters same would not help really well.

Moreover, if you say there should be two different communities , the could you please let us know how the VPN routing between these two is going to take place.

Regards

Mrigen Sane  

0 Kudos
Highlighted
Admin
Admin

I guess I missed the part where the third party VPN endpoints need to talk to each other.
Unfortunately, members of the same VPN Community must all use the same encryption settings.
And, if you're using different VPN communities, cross-community traffic would not normally be allowed.
Maybe this would work with a Route-Based VPN, as opposed to Domain-Based VPNs, I'm not sure.
0 Kudos