This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
domelsnake
Explorer
‎2019-07-22 04:23 AM

Multiple VPN tunnels and separate local encryption domains on R77.30

Hello all,

I have a question with regards to the local encryption domains on CheckPoint firewalls.

 

I'm trying to setup a backup connectivity (site-to-site VPN) with one of our satellite offices which has a single MPLS circuit (other sites have dual MPLS links), unfortunately I'm having some issues due to the fact the CheckPoint firewall can only have a single set of local encryption domains associated with the local gateway.

Is it possible to create a new object (CheckPoint cluster or perhaps Interoperable Device with the same IP address as the existing one), link it with a different Encryption_Domain group and use that object for a new VPN Community?

Thanks,

Dom

 

 

 

 

0 Kudos
10 Replies
PhoneBoy
Admin
Admin
‎2019-07-23 08:53 PM

A given Check Point gateway can only have a single encryption domain.
This is something we plan to address in an upcoming release.
0 Kudos
domelsnake
Explorer
‎2019-07-25 12:53 AM
In response to PhoneBoy

Thank you for your answer.

Is it possible to clone or replicate the existing CheckPoint gateway with a different name and assign a different encryption domain to it?

0 Kudos
PhoneBoy
Admin
Admin
‎2019-07-25 11:57 AM
In response to domelsnake

Trying to create a second gateway object that refers to the same physical gateway will not work.
You could potentially use VSX to achieve this requirement, with each VS servicing a different encryption domain.

As I posted previously, we plan on supporting this in a future release.
If you absolutely have to have this now, there's a customer release on top of R80.10 that supports this--please contact your local Check Point office for details.
martinkiska
Explorer
‎2020-04-30 10:27 AM
In response to PhoneBoy

Hello @PhoneBoy,

is there any progress regarding this functionality? 

I have similar business need for this. We have full mesh VPN domain based setup but on one location we need few subnets to be able to communicate to two different locations - 

1. rest of full mesh VPN peers to private address space 

2. to specific IPSec tunnel which ends on cloud provider platform (src:few subnets dst:public IP range). Rest of local subnets should communicate to same public IP range via default gateway and not via IPSec tunnel.

 

Is it possible to achieve it? I am 100 % sure, that with Cisco ASA I would be able to get this done, but I am little bit lost if this is possible on checkpoint.

 

Thank you for your time.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-04-30 01:29 PM
In response to martinkiska

We support different VPN domains per gateway in R80.40.
0 Kudos
_Val_
Admin
Admin
‎2020-04-30 02:22 PM
In response to martinkiska

R77.30 is way out of support. R80.40 GWs support VPN domains per community.

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-07-23 11:10 PM

The easiest way is to ask the guys managing the MPLS routers on both sides to build a tunnel, they can then use BGP to decide which path needs to be used.
In some situations you need to build a IPSEC tunnel for them so they can build a GRE tunnel on top of that. Do not forget to tell them to set the MSS value on that interface as low as 1300.
Regards, Maarten
0 Kudos
domelsnake
Explorer
‎2019-07-25 01:00 AM
In response to Maarten_Sjouw

Thanks Maarten,

The MPLS router isn't directly connected to the Internet and does't have cryptographic IOS therefore I won't be able to use it as the tunnel termination point.

I would like to utilize the CheckPoint firewalls we have.

 

I'm very surprised that such a massive vendor like CheckPoint doesn't have such a basic functionality... 

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-07-25 04:23 AM
In response to domelsnake

That the router is not connected to the Internet is only very good. However the inside of the FW will have a connection to the router. As far as I know for GRE you do not need a crypto image.
As said you build a IP Sec tunnel between both CP's and on top of that you build a GRE tunnel between both routers. Now let the Dynamic routing take care of the rest.

 

Another option is to build a Route based VPN, where you create a Virtual tunnel interface on both CP's and you let Dynamic routing take care of the rest.

Regards, Maarten
0 Kudos
domelsnake
Explorer
‎2019-07-30 02:54 AM
In response to Maarten_Sjouw

Thank you Maarten

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events