This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
KietN_NGUYEN
Explorer
‎2018-03-11 03:19 AM

Creating multiple VPN site to site connections on CheckPoint

Dear Team,

Is it possible to create mutiple VPN site to site connections between one CheckPoint FW and multiple external gateways ?

If yes, Could you please help me on this scenario:

- On HQ, I have a CheckPoint FW with two subnets: 192.168.1.0/24 and 192.168.2.0/24.

- Site A: subnet: 192.168.3.0/24

- Site B: subnet: 192.168.4.0/24.

Site A only can access to the subnet 192.168.1.0/24 and Site B only can access to the subnet 192.168.2.0/24.

I have some troubles in some points:

- On CHKP FW, defining local encryption domain, I need contains all two subnets, right ?

- On Site A GW_A: I define local subnet is 192.168.3.0/24 but remote subnet is contain both subnet 1.0/24 and 2.0/24 or only one subnet 192.168.1.0/24 ?

- Tunnel sharing on CHKP: I need to use one tunnel per a pair of subnet or one tunnel per a pair of GW ?

- Do I need to use VTI on CHKP.

Thanks all , Smiley Happy

Best regards,

Kiet NGUYEN.

0 Kudos
Reply
5 Replies
AlekseiShelepov
Advisor
‎2018-03-11 04:57 AM

Are all the VPN gateways Check Point devices and managed by you and connected to the same management server? If yes to everything, then it is a very easy setup.

  • HQ FW: VPN-Domain = 192.168.1.0/24, 192.168.2.0/24, 
  • Site A FW: VPN-Domain = 192.168.3.0/24
  • Site B FW: VPN-Domain = 192.168.4.0/24

Then you add all three FWs to a community - Star or Meshed. If Meshed then all gateways will be of the same level of importance and can communicate to eah other. If Star then you can choose center gateways (HQ) and satellite gateways (Site A, Site B). For Star community you can also choose options of routing traffic trough VPN:

  • To center only.
  • To center and to other satellites through center.
  • To center, or through the center to other satellites, to internet and other VPN targets.

As for the settings "One VPN tunnel per ...", the best option would be to go with One VPN tunnel per subnet pair. It will provide more security that One VPN tunnel per Gateway pair, and not overflow gateway tables in case you have many-many networks and hosts behind gateways as in One VPN tunnel per each pair of hosts.

There is no need in VTI in simple cases like this.

And then you just need to create proper firewall/access rules to provide this part:

"Site A only can access to the subnet 192.168.1.0/24 and Site B only can access to the subnet 192.168.2.0/24."

SourceDestinationVPNServiceAction
192.168.3.0/24192.168.1.0/24VPN_CommunityAnyAllow
192.168.4.0/24192.168.2.0/24VPN_CommunityAnyAllow

Configuring Site to Site VPN Rules in the Access Policy 

Reply
Worapong_Janloy
Contributor
‎2018-09-20 09:26 AM
In response to AlekseiShelepov

For this solution work on 3-Party devices as well right?

0 Kudos
Reply
AlekseiShelepov
Advisor
‎2018-09-20 02:30 PM
In response to Worapong_Janloy

This is a too broad question. And the general answer is yes, this is how VPN configured on Check Point. The main difference will be to add 3rd party devices as Interoperable devices. And of course settings on both sides of VPN must be the same - encryption, hash, networks for VPN. Here I described without getting in some details how to configure VPN on Check Point devices.

It would be better to read VPN Admin Guide first:

VPN Administration Guide R77 

VPN Administration Guide R80.10

And check SK database:

VPN Site-to-Site with 3rd party 

Debugging Site-to-Site VPN 

0 Kudos
Reply
KietN_NGUYEN
Explorer
‎2018-03-21 08:35 AM

Hi Aleksei Shelepov,

I appreciate your help. But unfortunately, two devices in two sites is other devices ( not CheckPoint). Can I define two separate VPN Community domain for it ? Or I really need define only one community domain ?

If I can define only one encryption domain, how can I setup it ? 

Thanks so much for your help,

Kiet.

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2018-09-21 09:28 AM
In response to KietN_NGUYEN

While a given gateway can peer with many VPN endpoints, only one encryption domain can be defined per gateway.

The encryption domain would include all subnets behind a given gateway (or a subset thereof).

In your situation, it would include 192.168.3.0/24 and 192.168.4.0/24.

The rules would be configured as Aleksei Shelepov‌ described in his initial post.

0 Kudos
Reply