This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
gemechisd
Contributor
‎2023-03-20 10:14 AM

Site to Site VPN

We have a checkpoint gateway 7000 appliance. Last time we have succesfully established a site to site IPSec tunnel with one of our partner organization. Now, they need to establish another tunnel with the same peer IP but different encryption domains for another service. Their firewall is Fortigate. On fortigate they can add different encryption domains on phase II only.

Since there is one tunnel established with one Encryption domain, now we need another two different encryption domains with the same existing VPN community. After the configuration the existing and one of the newly established tunnels are up. But, not the third one. When second ED is up, the third ED is down. Both, the newly established tunnels have the same Destination to a partner which is .85, so they gave us 2 NAT IP's. And we have NAT'ed both our ED's and sent it their .85 destination.

How can we configure 3 ED's on the same VPN Community?

0 Kudos
6 Replies
the_rock
MVP Platinum
MVP Platinum
‎2023-03-20 10:23 AM

Do you have simple network diagram with IPs involved? Even basic paint drawing would help 🙂

Please blur out any sensitive info.

Cheers,

Andy

Best,
Andy
0 Kudos
RS_Daniel
Advisor
Advisor
‎2023-03-20 11:48 AM

Hello,

When you talk about Encryption Domains it would be helpfull if you use "local" or "remote" to understand where you need to add the networks. I understand that you added two more networks to the remote Encryption domain. You can have all the networks you want as far as not overlapping exists with other vpn communities. 

To clarify, just two encryption domains exists. One local ED (networks behind your local checkpoint firewall) and one remote ED (networks behind fortigate). All what you need to do is adding those two new networks to the remote ED (it should be a network group object).

On checkpoint side, it works the same way you mention about fortigate. When you add more networks the the encryption domain group, the peers will negotiate one phase 2 keys per each one of these new networks.

So one single vpn community is needed. You should set one vpn tunnel per subnet pair on the VPN Tunnel Sharing section.

If you have troubles please upload the logs from smartconsole so we can give better advices. You can filter by "action:"Key Install" and X.X.X.X" where the ip is the remote peer public ip address.

Regards

0 Kudos
gemechisd
Contributor
‎2023-03-20 10:11 PM
In response to RS_Daniel

@RS_Daniel 

Thank you for the information.

We have 2 new additional Local ED's. There is one remote ED. currently there are two encryption domain which are up and active. However we are not still successful on the third encryption domain. All three are with in the same VPN Community.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-03-20 07:43 PM

We only support a single Encryption Domain per VPN Community (as of R80.40).
To have different encryption domains, you'd have to have three separate VPN communities each communicating with a different IP address.
We do not support establishing multiple VPNs to the same IP address.

0 Kudos
gemechisd
Contributor
‎2023-03-20 10:15 PM
In response to PhoneBoy

@PhoneBoy 

But, currently there are two encryption domain which are up and active. However we are not still successful on the third encryption domain with in a single VPN Community.

The Local and Remote peer addresses are the same. So, can't we add encryption domains- with in a single VPN Community?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-03-21 11:02 AM
In response to gemechisd

In R80.40 and above, you can specify a different local encryption domain for the local gateway based on the VPN Community used.
For remote VPN peers, the encryption domain is associated with the peer itself, not the VPN Community.
Only a single Encryption Domain is supported on a remote VPN peer.
Which means what you are trying to do is NOT supported.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events