Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Manually define local VPN Domain per remote peer

I'm quite sure I have seen a KB article about a definition file, which allows you to define the local encryption Domain according to the remote peer, e.g.

If the remote site-to-site VPN peer is A, then my local encryption domain are my networks A1, A2 and A3

If the remote site-to-site VPN peer is B, then my local encryption domain are my networks B1 and B2

Can't find that info anymore

0 Kudos
6 Replies
Highlighted
Sapphire

The options for granular control over VPN routing are available by editing the vpn_route.conf file in the conf directory of the Security Management Server. See Site to Site VPN Administration Guide R80.20 p. 72ff for details !

0 Kudos
Highlighted

It's not only VPN-Routing. I want a dedicated VPN-Domain definition per remote peer for my GW. Consider the situation, where I have my corporate gateway, which has 20 site-to-site connections with various partners.
My gateway has 1 single enryption domain definition defined as a group, which includes ALL possible networks it might negotiate with ALL peer gateways.
To be sure, that my gateway uses only a very well defined set of networks for its negotiation with a specific remote peer, i would need a specific local encryption domain for every peer. This is not possible within the SmartDashboard, but I'm pretty sure I saw this possibility within a config file.
If this can be achieved with vpn_route.conf, I would be glad to see an example of how it would look like according to the scenario described in my original post.
Highlighted

Yes, see scenario one here: sk108600: VPN Site-to-Site with 3rd party. 

The trickiest part of this is ensuring you are editing the correct user.def file based on the gateway version, for that see here: sk98239 - Location of 'user.def' files on Security Management Server

 

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com
Highlighted

Yep, user.def is the way to go.
They are promising us that local per-vpn topology will be possible in a soon to be released version.
How soon? We'll have to wait and see.
Regards, Maarten
0 Kudos
Highlighted
Admin
Admin

Targeted to R80.30.M1 in maintrain: https://community.checkpoint.com/t5/Multi-Domain-Management/VPN-Domain-per-VPN-community/td-p/30246
May also be available in a customer-specific release thru your local office.
0 Kudos
Highlighted

Hi,

 

look for 

subnet_for_range_and_peer

in the crypt.def file
0 Kudos