This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
peter_schumache
Collaborator
‎2019-05-02 01:25 AM

Manually define local VPN Domain per remote peer

I'm quite sure I have seen a KB article about a definition file, which allows you to define the local encryption Domain according to the remote peer, e.g.

If the remote site-to-site VPN peer is A, then my local encryption domain are my networks A1, A2 and A3

If the remote site-to-site VPN peer is B, then my local encryption domain are my networks B1 and B2

Can't find that info anymore

0 Kudos
6 Replies
G_W_Albrecht
Legend Legend
Legend
‎2019-05-02 03:02 AM

The options for granular control over VPN routing are available by editing the vpn_route.conf file in the conf directory of the Security Management Server. See Site to Site VPN Administration Guide R80.20 p. 72ff for details !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
peter_schumache
Collaborator
‎2019-05-02 03:51 AM
In response to G_W_Albrecht

It's not only VPN-Routing. I want a dedicated VPN-Domain definition per remote peer for my GW. Consider the situation, where I have my corporate gateway, which has 20 site-to-site connections with various partners.
My gateway has 1 single enryption domain definition defined as a group, which includes ALL possible networks it might negotiate with ALL peer gateways.
To be sure, that my gateway uses only a very well defined set of networks for its negotiation with a specific remote peer, i would need a specific local encryption domain for every peer. This is not possible within the SmartDashboard, but I'm pretty sure I saw this possibility within a config file.
If this can be achieved with vpn_route.conf, I would be glad to see an example of how it would look like according to the scenario described in my original post.
Timothy_Hall
Legend Legend
Legend
‎2019-05-02 06:04 AM
In response to peter_schumache

Yes, see scenario one here: sk108600: VPN Site-to-Site with 3rd party. 

The trickiest part of this is ensuring you are editing the correct user.def file based on the gateway version, for that see here: sk98239 - Location of 'user.def' files on Security Management Server

 

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
Maarten_Sjouw
Champion
Champion
‎2019-05-02 07:48 AM
In response to Timothy_Hall

Yep, user.def is the way to go.
They are promising us that local per-vpn topology will be possible in a soon to be released version.
How soon? We'll have to wait and see.
Regards, Maarten
0 Kudos
PhoneBoy
Admin
Admin
‎2019-05-03 02:34 PM
In response to Maarten_Sjouw

Targeted to R80.30.M1 in maintrain: https://community.checkpoint.com/t5/Multi-Domain-Management/VPN-Domain-per-VPN-community/td-p/30246
May also be available in a customer-specific release thru your local office.
0 Kudos
Andreas_Aust
Collaborator
‎2019-05-02 04:45 AM

Hi,

 

look for 

subnet_for_range_and_peer

in the crypt.def file
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top