cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Possible to 'hide' subnets outside of encryption domain

Scenario: Site A and Site B both have 'Secure' subnets.  Traffic to and from these subnets must be encrypted.  They also have 'User' subnets that are not secure and have high bandwidth consumption.  Any traffic from a User subnet to a Secure subnet must be encrypted in both directions, however, User to User traffic must not be encrypted (mostly due to bandwidth limitations over the VPN links).  There is both a VPN gateway and a Internet gateway, and they are on separate routing paths.

Currently, Site A and Site B Secure compromise their respective encryption domains.  If we were to add User to either encryption domain, we would have to forward 100% of traffic over the VPN, which will run into bandwidth issues.  However, if we don't add it, then any User traffic would not be considered interesting traffic and would be sent out in the clear even if destined for Secure.  Our thought is to create a NAT on each Site, then using routing to send back anything destined to the NAT back to the VPN gateway. This way, the User subnets can be added to the encrypt domain, but will only route over the VPN when the original destination is for Secure.

Does this sound feasible?

Tags (1)
3 Replies
Danny
Pearl

Re: Possible to 'hide' subnets outside of encryption domain

You are a Check Point employee, so you should tell us.

Excluding subnets in encryption domain from accessing a specific VPN community

Just exclude the 'User' subnets of Site A from getting encrypted when trying to communicate to other 'User' subnets at Side B.

0 Kudos

Re: Possible to 'hide' subnets outside of encryption domain

Unfortunately, it wouldn't solve the bandwidth issue.  Once the traffic gets to the VPN gateway, it would be going on the same physical link whether it was encrypted or not.  That's why I was thinking of hiding it to trick the router.

The other solution I was considering was policy based routing on the router to cause any traffic with a source in the Secure networks to go over the VPN, but I've generally found PBR to be unreliable.

0 Kudos
Danny
Pearl

Re: Possible to 'hide' subnets outside of encryption domain

PBR will route it through another physical link.

You might need to pay attention on your address spoofing settings as well as the NAT configuration.

0 Kudos