This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dor_Azumi
Participant
‎2018-10-30 02:48 AM

Encrypt All IPSEC Traffic

Hi,


I have a question about how to encrypt all the traffic through IPSEC VPN between two sites managed by the same management server.


The topology is:

  1. I have a center site with 3 interfaces - Internet interface, Center LAN interface, Interface to remote site (site2).
  2. I have a remote site (I will name him site2) with 2 interfaces - site2 LAN interface, Interface to center site.


The management server is sitting in the center site LAN interface.

The center site GW is Gaia os R77.30 cluster.

The remote site site2 is 1430 appliace running Gaia Embedded.

Both GWs are managed by the central management server.


My goal is to route and encrypt all traffic coming from the remote site site2 - including:

  • Traffic to center site LAN.
  • Traffic to the Internet.


How should I configure it?

What I need to configure in the Encryption domains?


Regards,

Dor.

11 Replies
_Val_
Admin
Admin
‎2018-10-30 03:12 AM

When you say "interface to remote site", do you mean you have MPLS leading to those? Cause there is also Internet connection at the center, as I see. Remote sites, are they connected to Internet directly as well? If you have dedicated WAN to reach remote sites, why do you need to encrypt?

0 Kudos
Dor_Azumi
Participant
‎2018-10-30 03:13 AM

The interface to remote site is simply a layer2 line (IPVPN).

Consider it as one subnet.


0 Kudos
Dor_Azumi
Participant
‎2018-10-30 03:14 AM

Only the center site has a connection to the Internet.

In order for site2 to reach the internet, they need to go to the center site.

I want to encrypt all traffic from the remote site (including internet traffic).

0 Kudos
_Val_
Admin
Admin
‎2018-10-30 03:22 AM
In response to Dor_Azumi

Okay then. Each GW needs VPN domain including all internal networks on its own site. Treat IPVPN interfaces as external. All behind internal interface goes to VPN domain

0 Kudos
Dor_Azumi
Participant
‎2018-10-30 03:24 AM

Ok, but what about the internet traffic?

If someone from the remote site LAN will go to the intenet, it won’t be encrypted by the IPSEC VPN.

0 Kudos
_Val_
Admin
Admin
‎2018-10-30 03:26 AM
In response to Dor_Azumi

For that, you need to create star based community where your satellites are allowed to go S2S and to Internet through the central GW. All of above are standard options

0 Kudos
Dor_Azumi
Participant
‎2018-10-30 03:28 AM
In response to _Val_

What I need to configure in the VPN Domain unger the GW objects?

How the GWs determines if the traffic should be encrypted or not?...

0 Kudos
_Val_
Admin
Admin
‎2018-10-30 03:33 AM
In response to Dor_Azumi

1. depending on how many networks are behind GW, and routing to those, you can use either manual groups or "based on topoligy" settings.

2. with domain based VPNs, GW decides to encrypt by checking that source and destination belong to VPN domains. In start topology with the mentioned VPN routing option all traffic from satellites to center GW will be encrypted.

As mentioned, your situation is one of classic configurations. I recommend you to read the admin guide for VPN, as all the questions above are answered there Site to Site VPN R80.10 Administration Guide 

Dor_Azumi
Participant
‎2018-10-30 04:01 AM

Hi,


Thanks but I have a R77.30 Gaia GW at center and 1430 77.20 GaiaEmbedded GW at the remote site.


I am not sure that satellite community will enforce all traffic routed to the center to be encrypted by the IPSEC, regardless VPN Domain configuration under each GW.

0 Kudos
_Val_
Admin
Admin
‎2018-10-30 05:12 AM
In response to Dor_Azumi

R77.30 admin guide is not so much different. 

0 Kudos
G_W_Albrecht
Legend
Legend
‎2018-10-31 01:42 AM
In response to Dor_Azumi

If you do not believe, look into this sk107641: Configure "Route All Traffic" from locally managed SMB appliances to a centrally managed g... - you will find how you can achieve this even for locally managed satellites, for centrally managed, it needs just choosing the lowest option in Start Community VPN Routing: To center, or through the center to other satellites, to internet and other VPN targets.

CCSE CCTE CCSM SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫