cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Highlighted

Creating multiple VPN site to site connections on CheckPoint

Dear Team,

Is it possible to create mutiple VPN site to site connections between one CheckPoint FW and multiple external gateways ?

If yes, Could you please help me on this scenario:

- On HQ, I have a CheckPoint FW with two subnets: 192.168.1.0/24 and 192.168.2.0/24.

- Site A: subnet: 192.168.3.0/24

- Site B: subnet: 192.168.4.0/24.

Site A only can access to the subnet 192.168.1.0/24 and Site B only can access to the subnet 192.168.2.0/24.

I have some troubles in some points:

- On CHKP FW, defining local encryption domain, I need contains all two subnets, right ?

- On Site A GW_A: I define local subnet is 192.168.3.0/24 but remote subnet is contain both subnet 1.0/24 and 2.0/24 or only one subnet 192.168.1.0/24 ?

- Tunnel sharing on CHKP: I need to use one tunnel per a pair of subnet or one tunnel per a pair of GW ?

- Do I need to use VTI on CHKP.

Thanks all , Smiley Happy

Best regards,

Kiet NGUYEN.

Tags (1)
0 Kudos
5 Replies

Re: Creating multiple VPN site to site connections on CheckPoint

Are all the VPN gateways Check Point devices and managed by you and connected to the same management server? If yes to everything, then it is a very easy setup.

  • HQ FW: VPN-Domain = 192.168.1.0/24, 192.168.2.0/24, 
  • Site A FW: VPN-Domain = 192.168.3.0/24
  • Site B FW: VPN-Domain = 192.168.4.0/24

Then you add all three FWs to a community - Star or Meshed. If Meshed then all gateways will be of the same level of importance and can communicate to eah other. If Star then you can choose center gateways (HQ) and satellite gateways (Site A, Site B). For Star community you can also choose options of routing traffic trough VPN:

  • To center only.
  • To center and to other satellites through center.
  • To center, or through the center to other satellites, to internet and other VPN targets.

As for the settings "One VPN tunnel per ...", the best option would be to go with One VPN tunnel per subnet pair. It will provide more security that One VPN tunnel per Gateway pair, and not overflow gateway tables in case you have many-many networks and hosts behind gateways as in One VPN tunnel per each pair of hosts.

There is no need in VTI in simple cases like this.

And then you just need to create proper firewall/access rules to provide this part:

"Site A only can access to the subnet 192.168.1.0/24 and Site B only can access to the subnet 192.168.2.0/24."

SourceDestinationVPNServiceAction
192.168.3.0/24192.168.1.0/24VPN_CommunityAnyAllow
192.168.4.0/24192.168.2.0/24VPN_CommunityAnyAllow

Configuring Site to Site VPN Rules in the Access Policy 

Re: Creating multiple VPN site to site connections on CheckPoint

For this solution work on 3-Party devices as well right?

0 Kudos

Re: Creating multiple VPN site to site connections on CheckPoint

This is a too broad question. And the general answer is yes, this is how VPN configured on Check Point. The main difference will be to add 3rd party devices as Interoperable devices. And of course settings on both sides of VPN must be the same - encryption, hash, networks for VPN. Here I described without getting in some details how to configure VPN on Check Point devices.

It would be better to read VPN Admin Guide first:

VPN Administration Guide R77 

VPN Administration Guide R80.10

And check SK database:

VPN Site-to-Site with 3rd party 

Debugging Site-to-Site VPN 

0 Kudos

Re: Creating multiple VPN site to site connections on CheckPoint

Hi Aleksei Shelepov,

I appreciate your help. But unfortunately, two devices in two sites is other devices ( not CheckPoint). Can I define two separate VPN Community domain for it ? Or I really need define only one community domain ?

If I can define only one encryption domain, how can I setup it ? 

Thanks so much for your help,

Kiet.

0 Kudos
Admin
Admin

Re: Creating multiple VPN site to site connections on CheckPoint

While a given gateway can peer with many VPN endpoints, only one encryption domain can be defined per gateway.

The encryption domain would include all subnets behind a given gateway (or a subset thereof).

In your situation, it would include 192.168.3.0/24 and 192.168.4.0/24.

The rules would be configured as Aleksei Shelepov‌ described in his initial post.

0 Kudos