This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Us4r
Contributor
‎2020-02-07 01:45 AM

IPSEC Dynamic Routing with SmartProvisioning

Hello,

 

at the moment we are working on a concept to introduce a dynamic routing concept within our IPSEC Environment.

We have a lot of SMB Devices (1400 Boxes) which will be centrally administrated with SmartProvisioning Profiles.

Our Sites Team wants a concept were every SMB Device has a VPN Tunnel to each other to allow direct data exchange between the sites with a dynamic routing protocol behind (like OSPF). We think we need something like a VPN Mesh Community but there I can't add LSM - Profiles as "participating gateways".

I also created a view about our current concept and the future concept (see attachments).

 

I hope that anyone has a good idea how we can concept that because I don't want to switch our IPSEC VPN Solution to another vendor...

 

Thanks.

 

Florian

 

Preview file
60 KB
Preview file
71 KB
0 Kudos
4 Replies
Wolfgang
Authority
Authority
‎2020-02-07 02:16 AM

Florian,

SmartLSM profiles as meshed center gateways is not possible. This configuration does not work and is not supported.

That's why you can't add your LSM profile.

If you want to get connectivity beetween the networks behind your 14xx  you have to use VPN routing via the central CO-gateway. You are doing this now via VTIs.

We had this running without VTI. It works with the normal VPN-routing configuration of the VPN community. Only if you have none SmartLSM gateways as satellites you have to follow VPN Routing does not work and traffic to other satellites leaves in "clear" when setting up SmartLSM... . No static routes and if remote 14xx gateways changing there external IPs the CO-gateway is learning these.

I think direct VPN connections (meshed) between your 14xx gateways is only possible if you are not using SmartLSM profiles and having all 14xx gateways as normal gateways defined SmartConsole.

With SmartLSM profiles you have to use VPN routing.

Wolfgang

0 Kudos
Us4r
Contributor
‎2020-02-07 03:10 AM
In response to Wolfgang

Hello Wolfgang,

 

thank you for that information.

 

<<I think direct VPN connections (meshed) between your 14xx gateways is only possible if you are not using SmartLSM profiles and having all 14xx gateways as normal gateways defined SmartConsole.>>

Would be really bad if Checkpoint won't support that with SmartLSM. 😞

 

It's not our concept to have a lot of 1400 Gateways configured without LSM - Profile because there are some management limitations which are very poor.

As example installing FW Policy on more > 10 Gateways in parallel will timeout on the management server and does not work. That's really a big issue for us when you need to push a policy change to 100 gateways....

 

As routing protocol did you use OSPF?

 

Regards

 

 

Florian

 

0 Kudos
Wolfgang
Authority
Authority
‎2020-02-07 03:36 AM
In response to Us4r

I  know the limitation of handling a large numbers of small appliances 😪 That's why SmartLSM is your tool.

 

No OSPF is needed.

Routing via the central CO-gateway does not need any dynamic routing protocol nor static-routes to the networks behinds your 14xx gateways. The routing is done via the routing capability of your vpn community.

Why do you need the direct connection between your gateways ?

Wolfgang

0 Kudos
Us4r
Contributor
‎2020-02-07 04:24 AM
In response to Wolfgang

Hello Wolfgang,

 

<<Routing via the central CO-gateway does not need any dynamic routing protocol nor static-routes to the networks behinds your 14xx gateways. The routing is done via the routing capability of your vpn community.>>

 

We used RouteBasedVPN with Tunnel Interfaces and with this configuration we need OSPF.

After your last post I did change my concept (see attachment).

I think we should concept more then one Firewall as CO - Gateway and add all of the CO - Gateways as Center Firewall to the VPN Community.

That should match our requirements for the most use cases. Via OSPF the best route to the destination network should be automatically selected. If one CO Gateway is down routing should switch to one of the other CO Gateways.

 

Has anyone this tried before to add more than one CO Gateway as Center Firewall to the same community?

 

Regards

 

 

Florian

Preview file
72 KB
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events