- Products
- Learn
- Local User Groups
- Partners
- More
CheckMates Fifth Birthday
Celebrate with Us!
days
hours
minutes
seconds
Join the CHECKMATES Everywhere Competition
Submit your picture to win!
Check Point Proactive support
Free trial available for 90 Days!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
The 2022 MITRE Engenuity ATT&CK®
Evaluations Results Are In!
Now Available: SmartAwareness Security Training
Training Built to Educate and Engage
MITRE ATT&CK
Inside Check Point products!
CheckFlix!
All Videos In One Space
Hi,
I have a question about how to encrypt all the traffic through IPSEC VPN between two sites managed by the same management server.
The topology is:
The management server is sitting in the center site LAN interface.
The center site GW is Gaia os R77.30 cluster.
The remote site site2 is 1430 appliace running Gaia Embedded.
Both GWs are managed by the central management server.
My goal is to route and encrypt all traffic coming from the remote site site2 - including:
How should I configure it?
What I need to configure in the Encryption domains?
Regards,
Dor.
When you say "interface to remote site", do you mean you have MPLS leading to those? Cause there is also Internet connection at the center, as I see. Remote sites, are they connected to Internet directly as well? If you have dedicated WAN to reach remote sites, why do you need to encrypt?
Consider it as one subnet.
Only the center site has a connection to the Internet.
In order for site2 to reach the internet, they need to go to the center site.
I want to encrypt all traffic from the remote site (including internet traffic).
Okay then. Each GW needs VPN domain including all internal networks on its own site. Treat IPVPN interfaces as external. All behind internal interface goes to VPN domain
Ok, but what about the internet traffic?
If someone from the remote site LAN will go to the intenet, it won’t be encrypted by the IPSEC VPN.
For that, you need to create star based community where your satellites are allowed to go S2S and to Internet through the central GW. All of above are standard options
What I need to configure in the VPN Domain unger the GW objects?
How the GWs determines if the traffic should be encrypted or not?...
1. depending on how many networks are behind GW, and routing to those, you can use either manual groups or "based on topoligy" settings.
2. with domain based VPNs, GW decides to encrypt by checking that source and destination belong to VPN domains. In start topology with the mentioned VPN routing option all traffic from satellites to center GW will be encrypted.
As mentioned, your situation is one of classic configurations. I recommend you to read the admin guide for VPN, as all the questions above are answered there Site to Site VPN R80.10 Administration Guide
Hi,
Thanks but I have a R77.30 Gaia GW at center and 1430 77.20 GaiaEmbedded GW at the remote site.
I am not sure that satellite community will enforce all traffic routed to the center to be encrypted by the IPSEC, regardless VPN Domain configuration under each GW.
R77.30 admin guide is not so much different.
If you do not believe, look into this sk107641: Configure "Route All Traffic" from locally managed SMB appliances to a centrally managed g... - you will find how you can achieve this even for locally managed satellites, for centrally managed, it needs just choosing the lowest option in Start Community VPN Routing: To center, or through the center to other satellites, to internet and other VPN targets.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY