- Products
- Learn
- Local User Groups
- Partners
-
More
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
IDC Spotlight -
Uplevel The SOC
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Dear Team,
Is it possible to create mutiple VPN site to site connections between one CheckPoint FW and multiple external gateways ?
If yes, Could you please help me on this scenario:
- On HQ, I have a CheckPoint FW with two subnets: 192.168.1.0/24 and 192.168.2.0/24.
- Site A: subnet: 192.168.3.0/24
- Site B: subnet: 192.168.4.0/24.
Site A only can access to the subnet 192.168.1.0/24 and Site B only can access to the subnet 192.168.2.0/24.
I have some troubles in some points:
- On CHKP FW, defining local encryption domain, I need contains all two subnets, right ?
- On Site A GW_A: I define local subnet is 192.168.3.0/24 but remote subnet is contain both subnet 1.0/24 and 2.0/24 or only one subnet 192.168.1.0/24 ?
- Tunnel sharing on CHKP: I need to use one tunnel per a pair of subnet or one tunnel per a pair of GW ?
- Do I need to use VTI on CHKP.
Thanks all ,
Best regards,
Kiet NGUYEN.
Are all the VPN gateways Check Point devices and managed by you and connected to the same management server? If yes to everything, then it is a very easy setup.
Then you add all three FWs to a community - Star or Meshed. If Meshed then all gateways will be of the same level of importance and can communicate to eah other. If Star then you can choose center gateways (HQ) and satellite gateways (Site A, Site B). For Star community you can also choose options of routing traffic trough VPN:
As for the settings "One VPN tunnel per ...", the best option would be to go with One VPN tunnel per subnet pair. It will provide more security that One VPN tunnel per Gateway pair, and not overflow gateway tables in case you have many-many networks and hosts behind gateways as in One VPN tunnel per each pair of hosts.
There is no need in VTI in simple cases like this.
And then you just need to create proper firewall/access rules to provide this part:
"Site A only can access to the subnet 192.168.1.0/24 and Site B only can access to the subnet 192.168.2.0/24."
Source | Destination | VPN | Service | Action |
---|---|---|---|---|
192.168.3.0/24 | 192.168.1.0/24 | VPN_Community | Any | Allow |
192.168.4.0/24 | 192.168.2.0/24 | VPN_Community | Any | Allow |
For this solution work on 3-Party devices as well right?
This is a too broad question. And the general answer is yes, this is how VPN configured on Check Point. The main difference will be to add 3rd party devices as Interoperable devices. And of course settings on both sides of VPN must be the same - encryption, hash, networks for VPN. Here I described without getting in some details how to configure VPN on Check Point devices.
It would be better to read VPN Admin Guide first:
VPN Administration Guide R80.10
And check SK database:
Hi Aleksei Shelepov,
I appreciate your help. But unfortunately, two devices in two sites is other devices ( not CheckPoint). Can I define two separate VPN Community domain for it ? Or I really need define only one community domain ?
If I can define only one encryption domain, how can I setup it ?
Thanks so much for your help,
Kiet.
While a given gateway can peer with many VPN endpoints, only one encryption domain can be defined per gateway.
The encryption domain would include all subnets behind a given gateway (or a subset thereof).
In your situation, it would include 192.168.3.0/24 and 192.168.4.0/24.
The rules would be configured as Aleksei Shelepov described in his initial post.
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY