cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Multiple VPN tunnels and separate local encryption domains on R77.30

Hello all,

I have a question with regards to the local encryption domains on CheckPoint firewalls.

 

I'm trying to setup a backup connectivity (site-to-site VPN) with one of our satellite offices which has a single MPLS circuit (other sites have dual MPLS links), unfortunately I'm having some issues due to the fact the CheckPoint firewall can only have a single set of local encryption domains associated with the local gateway.

Is it possible to create a new object (CheckPoint cluster or perhaps Interoperable Device with the same IP address as the existing one), link it with a different Encryption_Domain group and use that object for a new VPN Community?

Thanks,

Dom

 

 

 

 

0 Kudos
10 Replies
Highlighted
Admin
Admin

Re: Multiple VPN tunnels and separate local encryption domains on R77.30

A given Check Point gateway can only have a single encryption domain.
This is something we plan to address in an upcoming release.
0 Kudos
Highlighted

Re: Multiple VPN tunnels and separate local encryption domains on R77.30

Thank you for your answer.

Is it possible to clone or replicate the existing CheckPoint gateway with a different name and assign a different encryption domain to it?

0 Kudos
Highlighted
Admin
Admin

Re: Multiple VPN tunnels and separate local encryption domains on R77.30

Trying to create a second gateway object that refers to the same physical gateway will not work.
You could potentially use VSX to achieve this requirement, with each VS servicing a different encryption domain.

As I posted previously, we plan on supporting this in a future release.
If you absolutely have to have this now, there's a customer release on top of R80.10 that supports this--please contact your local Check Point office for details.
Highlighted

Re: Multiple VPN tunnels and separate local encryption domains on R77.30

Hello @PhoneBoy,

is there any progress regarding this functionality? 

I have similar business need for this. We have full mesh VPN domain based setup but on one location we need few subnets to be able to communicate to two different locations - 

1. rest of full mesh VPN peers to private address space 

2. to specific IPSec tunnel which ends on cloud provider platform (src:few subnets dst:public IP range). Rest of local subnets should communicate to same public IP range via default gateway and not via IPSec tunnel.

 

Is it possible to achieve it? I am 100 % sure, that with Cisco ASA I would be able to get this done, but I am little bit lost if this is possible on checkpoint.

 

Thank you for your time.

0 Kudos
Highlighted
Admin
Admin

Re: Multiple VPN tunnels and separate local encryption domains on R77.30

We support different VPN domains per gateway in R80.40.
0 Kudos
Highlighted

Re: Multiple VPN tunnels and separate local encryption domains on R77.30

R77.30 is way out of support. R80.40 GWs support VPN domains per community.

0 Kudos
Highlighted

Re: Multiple VPN tunnels and separate local encryption domains on R77.30

The easiest way is to ask the guys managing the MPLS routers on both sides to build a tunnel, they can then use BGP to decide which path needs to be used.
In some situations you need to build a IPSEC tunnel for them so they can build a GRE tunnel on top of that. Do not forget to tell them to set the MSS value on that interface as low as 1300.
Regards, Maarten
0 Kudos
Highlighted

Re: Multiple VPN tunnels and separate local encryption domains on R77.30

Thanks Maarten,

The MPLS router isn't directly connected to the Internet and does't have cryptographic IOS therefore I won't be able to use it as the tunnel termination point.

I would like to utilize the CheckPoint firewalls we have.

 

I'm very surprised that such a massive vendor like CheckPoint doesn't have such a basic functionality... 

0 Kudos
Highlighted

Re: Multiple VPN tunnels and separate local encryption domains on R77.30

That the router is not connected to the Internet is only very good. However the inside of the FW will have a connection to the router. As far as I know for GRE you do not need a crypto image.
As said you build a IP Sec tunnel between both CP's and on top of that you build a GRE tunnel between both routers. Now let the Dynamic routing take care of the rest.

 

Another option is to build a Route based VPN, where you create a Virtual tunnel interface on both CP's and you let Dynamic routing take care of the rest.

Regards, Maarten
0 Kudos
Highlighted

Re: Multiple VPN tunnels and separate local encryption domains on R77.30

Thank you Maarten

0 Kudos