Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
peter_schumache
Collaborator

Manually define local VPN Domain per remote peer

I'm quite sure I have seen a KB article about a definition file, which allows you to define the local encryption Domain according to the remote peer, e.g.

If the remote site-to-site VPN peer is A, then my local encryption domain are my networks A1, A2 and A3

If the remote site-to-site VPN peer is B, then my local encryption domain are my networks B1 and B2

Can't find that info anymore

0 Kudos
6 Replies
G_W_Albrecht
Legend
Legend

The options for granular control over VPN routing are available by editing the vpn_route.conf file in the conf directory of the Security Management Server. See Site to Site VPN Administration Guide R80.20 p. 72ff for details !

0 Kudos
peter_schumache
Collaborator

It's not only VPN-Routing. I want a dedicated VPN-Domain definition per remote peer for my GW. Consider the situation, where I have my corporate gateway, which has 20 site-to-site connections with various partners.
My gateway has 1 single enryption domain definition defined as a group, which includes ALL possible networks it might negotiate with ALL peer gateways.
To be sure, that my gateway uses only a very well defined set of networks for its negotiation with a specific remote peer, i would need a specific local encryption domain for every peer. This is not possible within the SmartDashboard, but I'm pretty sure I saw this possibility within a config file.
If this can be achieved with vpn_route.conf, I would be glad to see an example of how it would look like according to the scenario described in my original post.
Timothy_Hall
Champion
Champion

Yes, see scenario one here: sk108600: VPN Site-to-Site with 3rd party. 

The trickiest part of this is ensuring you are editing the correct user.def file based on the gateway version, for that see here: sk98239 - Location of 'user.def' files on Security Management Server

 

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
Maarten_Sjouw
Champion
Champion

Yep, user.def is the way to go.
They are promising us that local per-vpn topology will be possible in a soon to be released version.
How soon? We'll have to wait and see.
Regards, Maarten
0 Kudos
PhoneBoy
Admin
Admin

Targeted to R80.30.M1 in maintrain: https://community.checkpoint.com/t5/Multi-Domain-Management/VPN-Domain-per-VPN-community/td-p/30246
May also be available in a customer-specific release thru your local office.
0 Kudos
Andreas_Aust
Collaborator

Hi,

 

look for 

subnet_for_range_and_peer

in the crypt.def file
0 Kudos