cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Vladimir
Pearl

Externally managed gateway as an Interoperable device?

As per documentation dating back forever, site to site VPNs between locally and externally managed Check Point gateways require us to define the remote unit as "Externally Managed Gateway".

This also entails defining the topology of the Externally Managed Gateway.

I've run into a situation where the peer is reluctant to provide their topology information and would like to know if:

1. Not specifying the topology will prevent this VPN from working

2. Could a remote unit be defined as the "Interoperable Device" to remove the need for topology definition

3. If [2] is possible, what is the benefit of defining the peer as "Externally Managed Gateway" when PSK is used?

I suspect that in cases when certificates are used and the remote peer's topology is properly defined, the ISP redundancy at the remote site could be taken advantage of but am not sure of the particulars.

Tags (2)
7 Replies

Re: Externally managed gateway as an Interoperable device?

As long as you know that you need to allow certain IP's you can define a topology from there. The main difference between a interoperable and externally managed is that you can use permanent tunnels, when turned on on both sides. 

The thing is that when you don't know what lives at the other end you cannot set the allowed list for routing via VPN either.

Regards, Maarten
0 Kudos
Vladimir
Pearl

Re: Externally managed gateway as an Interoperable device?

If I am not aware what interfaces on the peer's side are internal and external, it is not easy to infer the topology:)

To add some spice, there is a NAT on the both sides of the VPN.

With Interoperable device, we are only concerned with the peer's public IP and the encryption domain, which simplifies things.

I would like to hear from CP if this is supported and if there any caveats I should be aware of.

0 Kudos
JozkoMrkvicka
Platinum

Re: Externally managed gateway as an Interoperable device?

AFAIK, the "Externally Managed Gateway" should be only Check Point devices (with GAIA installed). This will allow you setup VPN based on certificates.

"Interoperable Device" should be created only in case you need to establish VPN with another vendor.

Kind regards,
Jozko Mrkvicka
0 Kudos
Vladimir
Pearl

Re: Externally managed gateway as an Interoperable device?

I am aware of the definitions, but am looking for workaround, since I cannot define the topology for the remote Check Point gateway, due to peer's reluctance in providing this information.

Configured without topology, the VPN fails and I am not sure if it is an expected behavior in this case, or if it is caused by other factors.

Re: Externally managed gateway as an Interoperable device?

Are the at least willing to provide you their VPN domain networks? If yes, interoperable device is a viable option. I do not see nay problem with your approach

0 Kudos
Vladimir
Pearl

Re: Externally managed gateway as an Interoperable device?

Thank you Valeri. 

I'll give it a shot with Interoperable Device and will report my findings.

0 Kudos

Re: Externally managed gateway as an Interoperable device?

Looking for ward to hearing  about your experience