- CheckMates
- :
- Products
- :
- General Topics
- :
- Creating multiple VPN site to site connections on ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Creating multiple VPN site to site connections on CheckPoint
Dear Team,
Is it possible to create mutiple VPN site to site connections between one CheckPoint FW and multiple external gateways ?
If yes, Could you please help me on this scenario:
- On HQ, I have a CheckPoint FW with two subnets: 192.168.1.0/24 and 192.168.2.0/24.
- Site A: subnet: 192.168.3.0/24
- Site B: subnet: 192.168.4.0/24.
Site A only can access to the subnet 192.168.1.0/24 and Site B only can access to the subnet 192.168.2.0/24.
I have some troubles in some points:
- On CHKP FW, defining local encryption domain, I need contains all two subnets, right ?
- On Site A GW_A: I define local subnet is 192.168.3.0/24 but remote subnet is contain both subnet 1.0/24 and 2.0/24 or only one subnet 192.168.1.0/24 ?
- Tunnel sharing on CHKP: I need to use one tunnel per a pair of subnet or one tunnel per a pair of GW ?
- Do I need to use VTI on CHKP.
Thanks all ,
Best regards,
Kiet NGUYEN.
- Tags:
- site to site vpn
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are all the VPN gateways Check Point devices and managed by you and connected to the same management server? If yes to everything, then it is a very easy setup.
- HQ FW: VPN-Domain = 192.168.1.0/24, 192.168.2.0/24,
- Site A FW: VPN-Domain = 192.168.3.0/24
- Site B FW: VPN-Domain = 192.168.4.0/24
Then you add all three FWs to a community - Star or Meshed. If Meshed then all gateways will be of the same level of importance and can communicate to eah other. If Star then you can choose center gateways (HQ) and satellite gateways (Site A, Site B). For Star community you can also choose options of routing traffic trough VPN:
- To center only.
- To center and to other satellites through center.
- To center, or through the center to other satellites, to internet and other VPN targets.
As for the settings "One VPN tunnel per ...", the best option would be to go with One VPN tunnel per subnet pair. It will provide more security that One VPN tunnel per Gateway pair, and not overflow gateway tables in case you have many-many networks and hosts behind gateways as in One VPN tunnel per each pair of hosts.
There is no need in VTI in simple cases like this.
And then you just need to create proper firewall/access rules to provide this part:
"Site A only can access to the subnet 192.168.1.0/24 and Site B only can access to the subnet 192.168.2.0/24."
Source | Destination | VPN | Service | Action |
---|---|---|---|---|
192.168.3.0/24 | 192.168.1.0/24 | VPN_Community | Any | Allow |
192.168.4.0/24 | 192.168.2.0/24 | VPN_Community | Any | Allow |
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For this solution work on 3-Party devices as well right?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a too broad question. And the general answer is yes, this is how VPN configured on Check Point. The main difference will be to add 3rd party devices as Interoperable devices. And of course settings on both sides of VPN must be the same - encryption, hash, networks for VPN. Here I described without getting in some details how to configure VPN on Check Point devices.
It would be better to read VPN Admin Guide first:
VPN Administration Guide R80.10
And check SK database:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Aleksei Shelepov,
I appreciate your help. But unfortunately, two devices in two sites is other devices ( not CheckPoint). Can I define two separate VPN Community domain for it ? Or I really need define only one community domain ?
If I can define only one encryption domain, how can I setup it ?
Thanks so much for your help,
Kiet.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
While a given gateway can peer with many VPN endpoints, only one encryption domain can be defined per gateway.
The encryption domain would include all subnets behind a given gateway (or a subset thereof).
In your situation, it would include 192.168.3.0/24 and 192.168.4.0/24.
The rules would be configured as Aleksei Shelepov described in his initial post.
