This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vladimir
Champion
Champion
‎2018-09-27 09:43 AM

Externally managed gateway as an Interoperable device?

As per documentation dating back forever, site to site VPNs between locally and externally managed Check Point gateways require us to define the remote unit as "Externally Managed Gateway".

This also entails defining the topology of the Externally Managed Gateway.

I've run into a situation where the peer is reluctant to provide their topology information and would like to know if:

1. Not specifying the topology will prevent this VPN from working

2. Could a remote unit be defined as the "Interoperable Device" to remove the need for topology definition

3. If [2] is possible, what is the benefit of defining the peer as "Externally Managed Gateway" when PSK is used?

I suspect that in cases when certificates are used and the remote peer's topology is properly defined, the ISP redundancy at the remote site could be taken advantage of but am not sure of the particulars.

7 Replies
Maarten_Sjouw
Champion
Champion
‎2018-09-27 10:57 AM

As long as you know that you need to allow certain IP's you can define a topology from there. The main difference between a interoperable and externally managed is that you can use permanent tunnels, when turned on on both sides. 

The thing is that when you don't know what lives at the other end you cannot set the allowed list for routing via VPN either.

Regards, Maarten
0 Kudos
Vladimir
Champion
Champion
‎2018-09-27 11:06 AM
In response to Maarten_Sjouw

If I am not aware what interfaces on the peer's side are internal and external, it is not easy to infer the topology:)

To add some spice, there is a NAT on the both sides of the VPN.

With Interoperable device, we are only concerned with the peer's public IP and the encryption domain, which simplifies things.

I would like to hear from CP if this is supported and if there any caveats I should be aware of.

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2018-09-27 11:07 AM

AFAIK, the "Externally Managed Gateway" should be only Check Point devices (with GAIA installed). This will allow you setup VPN based on certificates.

"Interoperable Device" should be created only in case you need to establish VPN with another vendor.

Kind regards,
Jozko Mrkvicka
Vladimir
Champion
Champion
‎2018-09-27 11:18 AM
In response to JozkoMrkvicka

I am aware of the definitions, but am looking for workaround, since I cannot define the topology for the remote Check Point gateway, due to peer's reluctance in providing this information.

Configured without topology, the VPN fails and I am not sure if it is an expected behavior in this case, or if it is caused by other factors.

_Val_
Admin
Admin
‎2018-09-28 04:06 AM

Are the at least willing to provide you their VPN domain networks? If yes, interoperable device is a viable option. I do not see nay problem with your approach

0 Kudos
Vladimir
Champion
Champion
‎2018-09-28 05:59 AM
In response to _Val_

Thank you Valeri. 

I'll give it a shot with Interoperable Device and will report my findings.

0 Kudos
_Val_
Admin
Admin
‎2018-09-28 06:12 AM
In response to Vladimir

Looking for ward to hearing  about your experience

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events