Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
gemechisd
Contributor

Site to Site VPN

We have a checkpoint gateway 7000 appliance. Last time we have succesfully established a site to site IPSec tunnel with one of our partner organization. Now, they need to establish another tunnel with the same peer IP but different encryption domains for another service. Their firewall is Fortigate. On fortigate they can add different encryption domains on phase II only.

Since there is one tunnel established with one Encryption domain, now we need another two different encryption domains with the same existing VPN community. After the configuration the existing and one of the newly established tunnels are up. But, not the third one. When second ED is up, the third ED is down. Both, the newly established tunnels have the same Destination to a partner which is .85, so they gave us 2 NAT IP's. And we have NAT'ed both our ED's and sent it their .85 destination.

How can we configure 3 ED's on the same VPN Community?

0 Kudos
6 Replies
the_rock
Legend
Legend

Do you have simple network diagram with IPs involved? Even basic paint drawing would help 🙂

Please blur out any sensitive info.

Cheers,

Andy

0 Kudos
RS_Daniel
Advisor

Hello,

When you talk about Encryption Domains it would be helpfull if you use "local" or "remote" to understand where you need to add the networks. I understand that you added two more networks to the remote Encryption domain. You can have all the networks you want as far as not overlapping exists with other vpn communities. 

To clarify, just two encryption domains exists. One local ED (networks behind your local checkpoint firewall) and one remote ED (networks behind fortigate). All what you need to do is adding those two new networks to the remote ED (it should be a network group object).

On checkpoint side, it works the same way you mention about fortigate. When you add more networks the the encryption domain group, the peers will negotiate one phase 2 keys per each one of these new networks.

So one single vpn community is needed. You should set one vpn tunnel per subnet pair on the VPN Tunnel Sharing section.

If you have troubles please upload the logs from smartconsole so we can give better advices. You can filter by "action:"Key Install" and X.X.X.X" where the ip is the remote peer public ip address.

Regards

0 Kudos
gemechisd
Contributor

@RS_Daniel 

Thank you for the information.

We have 2 new additional Local ED's. There is one remote ED. currently there are two encryption domain which are up and active. However we are not still successful on the third encryption domain. All three are with in the same VPN Community.

0 Kudos
PhoneBoy
Admin
Admin

We only support a single Encryption Domain per VPN Community (as of R80.40).
To have different encryption domains, you'd have to have three separate VPN communities each communicating with a different IP address.
We do not support establishing multiple VPNs to the same IP address.

0 Kudos
gemechisd
Contributor

@PhoneBoy 

But, currently there are two encryption domain which are up and active. However we are not still successful on the third encryption domain with in a single VPN Community.

The Local and Remote peer addresses are the same. So, can't we add encryption domains- with in a single VPN Community?

0 Kudos
PhoneBoy
Admin
Admin

In R80.40 and above, you can specify a different local encryption domain for the local gateway based on the VPN Community used.
For remote VPN peers, the encryption domain is associated with the peer itself, not the VPN Community.
Only a single Encryption Domain is supported on a remote VPN peer.
Which means what you are trying to do is NOT supported.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events